WO2017057165A1 - Vehicle communication system - Google Patents

Vehicle communication system Download PDF

Info

Publication number
WO2017057165A1
WO2017057165A1 PCT/JP2016/077959 JP2016077959W WO2017057165A1 WO 2017057165 A1 WO2017057165 A1 WO 2017057165A1 JP 2016077959 W JP2016077959 W JP 2016077959W WO 2017057165 A1 WO2017057165 A1 WO 2017057165A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
unit
processing unit
communication
discard
Prior art date
Application number
PCT/JP2016/077959
Other languages
French (fr)
Japanese (ja)
Inventor
井上 雅之
Original Assignee
株式会社オートネットワーク技術研究所
住友電装株式会社
住友電気工業株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社オートネットワーク技術研究所, 住友電装株式会社, 住友電気工業株式会社 filed Critical 株式会社オートネットワーク技術研究所
Priority to CN201680052782.0A priority Critical patent/CN108028855B/en
Priority to US15/763,308 priority patent/US10554623B2/en
Priority to DE112016004438.0T priority patent/DE112016004438T5/en
Publication of WO2017057165A1 publication Critical patent/WO2017057165A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40006Architecture of a communication node
    • H04L12/40013Details regarding a bus controller
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L12/40169Flexible bus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • H04L67/125Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks involving control of end-device applications over a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/40Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/30Services specially adapted for particular environments, situations or purposes
    • H04W4/40Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P]
    • H04W4/48Services specially adapted for particular environments, situations or purposes for vehicles, e.g. vehicle-to-pedestrians [V2P] for in-vehicle communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40208Bus networks characterized by the use of a particular bus standard
    • H04L2012/40215Controller Area Network CAN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks
    • H04L2012/40267Bus for use in transportation systems
    • H04L2012/40273Bus for use in transportation systems the transportation system being a vehicle

Definitions

  • the present invention relates to an in-vehicle communication system in which a plurality of communication devices connected to a common communication line transmit and receive messages.
  • a plurality of ECUs Electronic Control Units
  • CAN Controller Area Network
  • the plurality of ECUs proceed with each process while exchanging information via a network.
  • an unauthorized program can be injected into the ECU.
  • An ECU into which an unauthorized program has been injected may transmit an unauthorized message to the vehicle network, which may cause other ECUs connected to the network to malfunction.
  • Patent Document 1 proposes a communication system that performs message authentication by MAC (Message Authentication Code) without changing the CAN protocol.
  • each ECU counts the number of message transmissions for each CAN-ID.
  • the transmission node generates a MAC from the data field of the main message, the CAN-ID and the count value, and transmits it as a MAC message.
  • the receiving node generates a MAC from the data field, CAN-ID, and count value included in the received main message, and determines whether the MAC matches the MAC included in the MAC message.
  • Non-Patent Document 1 each ECU monitors a message flowing on the network, and when a message with a CAN-ID to be transmitted from another ECU is transmitted from another ECU, it is determined as an illegal message.
  • a communication system has been proposed in which an ECU that detects an illegal message transmits an error frame before transmission of the illegal message is completed, thereby preventing transmission.
  • an ECU that detects an unauthorized message transmits an error frame to prevent the unauthorized message from being transmitted.
  • the ECU (illegal ECU) in which the message transmission is in error repeats the message retransmission until the message is transmitted without error.
  • the communication line is occupied by this, and there is a possibility that regular message transmission by other ECUs may be hindered.
  • the present invention has been made in view of such circumstances, and an object of the present invention is to provide an in-vehicle communication system capable of preventing communication lines from being occupied due to repeated unauthorized message transmission. It is in.
  • the in-vehicle communication system is an in-vehicle communication system in which a plurality of communication devices mounted on a vehicle are connected via a common communication line, and whether or not the message transmitted on the communication line is a regular message.
  • a determination unit that determines whether the message is determined not to be a legitimate message, a discard unit that performs processing for discarding the message before transmission completion of the message, and identification information of the message discarded by the discard unit
  • a signal indicating that the reception of the message is completed is received regardless of a determination result of the determination unit.
  • a reception completion notification unit that outputs to a line, and each communication device is prohibited from performing processing based on a message with identification information stored in the storage unit Has, the discard unit may not perform the processing to discard for identification information stored in the storage unit is attached message.
  • the in-vehicle communication system includes a storage erasure unit that erases the identification information stored in the storage unit when the signal is output from the reception completion notification unit.
  • the in-vehicle communication system includes a monitoring device that is connected to the communication line, includes the determination unit, the discard unit, and the storage unit, and monitors a message transmitted on the communication line,
  • Each communication device includes the storage unit, and at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
  • each communication device includes the determination unit, the discard unit, and the storage unit, and at least one of the plurality of communication devices is configured to receive the reception completion notification. It has the part.
  • a message transmitted on the communication line is a regular message.
  • a determination unit that determines whether the message is not a legitimate message, a discard unit that performs processing for discarding the message before transmission completion of the message, and the number of times the message is discarded by the discard unit And a reception completion signal for outputting to the communication line a signal indicating that the reception of the message is completed regardless of the determination result of the determination unit when the counter count exceeds a predetermined number
  • Each communication device is based on the received message when the number of times counted by the counter exceeds a predetermined number Has a prohibition unit that prohibits physical, it said discarding unit is characterized in that number of times the counter has counted does not perform processing to discard the message if it exceeds a predetermined number of times.
  • a storage unit that stores identification information of the discarded message and an identification different from the identification information stored in the storage unit
  • an initialization unit that initializes the counter when a message with information is transmitted to the communication line.
  • the in-vehicle communication system includes an initialization unit that initializes the counter when a signal from the reception completion notification unit is output.
  • the in-vehicle communication system includes a monitoring device that is connected to the communication line, includes the determination unit, the discard unit, and the counter, and that monitors a message transmitted on the communication line,
  • the communication device includes the counter, and at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
  • each communication device includes the determination unit, the discard unit, and the counter, and at least one communication device of the plurality of communication devices includes the reception completion notification unit. It is characterized by having.
  • the monitoring device is a gateway device connected to a plurality of communication lines and relaying messages between the communication lines.
  • a determination unit that determines whether or not the message is a legitimate message, before sending a message that is not legitimate
  • a discard unit for discarding, a storage unit for storing identification information attached to a discarded message, and a reception completion notification for outputting a signal indicating completion of reception when a message of the identification information stored in the storage unit is received Provide a part.
  • the determination unit, the discard unit, the storage unit, and the reception completion notification unit may be provided in each communication device included in the in-vehicle communication system, or may be provided in a monitoring device connected to the communication line. .
  • Each communication device of the in-vehicle communication system does not perform processing based on the message with the identification information stored in the storage unit.
  • the discarding unit does not perform processing for discarding the message to which the identification information stored in the storage unit is attached. That is, in the in-vehicle communication system, the discarding unit performs discarding for the first transmission of an invalid message, and the identification information of the discarded message is stored at this time. In response to this discarding, for example, when an unauthorized communication device retransmits an unauthorized message, the discarding unit is not discarded because the identification information attached to the retransmitted message is stored in the storage unit.
  • the reception completion signal is output by the reception completion notification unit, each communication device does not perform processing based on the unauthorized message. When the reception completion signal is output, the unauthorized communication device that has transmitted the unauthorized message determines that the unauthorized message has been received by another communication device, so that the unauthorized message is not retransmitted.
  • the storage unit that stores the identification information of the discarded message erases the stored identification information when the reception completion notification unit outputs a reception completion signal. Therefore, it can prevent that processing based on the regular message to which the same identification information as an illegal message is attached
  • subjected is not performed by each ECU.
  • a determination unit that determines whether or not the message is a normal message, before the transmission of the non-normal message is completed
  • a discarding unit that discards the message, a counter that counts the number of times the message is discarded, and a reception completion notifying unit that outputs a signal indicating reception completion when the number of times the counter has counted exceeds a predetermined number.
  • the determination unit, the discard unit, the counter, and the reception completion notification unit may be configured in each communication device included in the in-vehicle communication system, or may be configured in a monitoring device connected to the communication line.
  • Each communication device of the in-vehicle communication system does not perform processing based on the received message when the number of times counted by the counter exceeds a predetermined number.
  • the discarding unit does not perform processing for discarding the message when the number of times counted by the counter exceeds a predetermined number.
  • the discarding unit discards an illegal message less than a predetermined number of times, and the counter counts the number of times the message is discarded.
  • a reception completion signal is output by the reception completion notification unit. The device does not perform processing based on this illegal message.
  • the reception completion signal is output, the unauthorized communication device that has transmitted the unauthorized message determines that the unauthorized message has been received by another communication device, so that the unauthorized message is not retransmitted.
  • the storage unit stores the identification information attached to the message discarded by the discard unit, and the message with the identification information different from the identification information stored in the storage unit is transmitted to the communication line. If a counter is detected, the counter is initialized. Thereby, it is possible to perform counting by the counter only when the same identification information is continuously transmitted.
  • the counter that counts the number of times the message is discarded initializes the count value when a reception completion signal is output by the reception completion notification unit. Thereby, it can prevent that the process based on a regular message is no longer performed in each ECU.
  • the monitoring device when the monitoring device is configured to perform processing such as discarding a message, it is preferable that the monitoring device is a gateway device that relays messages between communication lines. As a result, the gateway device can collectively perform a discarding process for a plurality of communication lines.
  • the reception completion signal is output without discarding the invalid message, and the processing based on this message is performed by each communication device.
  • FIG. 1 is a schematic diagram illustrating a configuration of an in-vehicle communication system according to Embodiment 1.
  • FIG. It is a flowchart which shows the procedure of the monitoring process which the monitoring apparatus which concerns on this Embodiment performs. It is a flowchart which shows the procedure of the reception process which each ECU which concerns on this Embodiment performs. It is a flowchart which shows the procedure of the reception process which each ECU which concerns on this Embodiment performs. It is a block diagram which shows the structure of the vehicle-mounted communication system which concerns on the modification 1. It is a block diagram which shows the structure of the vehicle-mounted communication system which concerns on the modification 2.
  • FIG. 6 is a block diagram illustrating a configuration of an in-vehicle communication system according to Embodiment 2.
  • FIG. 10 is a flowchart illustrating a procedure of monitoring processing performed by the monitoring device according to the second embodiment.
  • 7 is a flowchart illustrating a procedure of reception processing performed by each ECU according to Embodiment 2.
  • 7 is a flowchart illustrating a procedure of reception processing performed by each ECU according to Embodiment 2.
  • FIG. 1 is a schematic diagram showing the configuration of the in-vehicle communication system according to the first embodiment.
  • the in-vehicle communication system according to Embodiment 1 has a configuration in which a plurality of ECUs 30 mounted on a vehicle 1 are connected via a common communication line 2 and monitors transmission / reception of messages of the ECU 30 via the communication line 2.
  • a monitoring device 10 is provided.
  • the monitoring apparatus 10 includes a processing unit 11, a communication unit 12, a storage unit 13, and the like.
  • the processing unit 11 is configured using an arithmetic processing device such as a CPU (Central Processing Unit) or an MPU (Micro-Processing Unit), and by executing a program stored in a ROM (Read Only Memory) or the like (not shown), Various processes related to message monitoring are performed.
  • a CPU Central Processing Unit
  • MPU Micro-Processing Unit
  • ROM Read Only Memory
  • the communication unit 12 is connected to the communication line 2, and can send and receive messages to and from other ECUs 30 via the communication line 2.
  • the communication unit 12 can be configured using a so-called CAN controller.
  • the communication unit 12 receives the message by sampling the potential of the communication line 2 and gives the message to the processing unit 11, and also converts the message for transmission given from the processing unit 11 into an electric signal and outputs it to the communication line 2. Message can be sent.
  • the monitoring device 10 does not need to transmit / receive messages to / from the ECU 30, and the communication unit 12 is used to monitor messages transmitted / received between the ECUs 30 via the communication line 2. .
  • the storage unit 13 is configured by using a memory element capable of data rewriting such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory).
  • the processing unit 11 can store various data such as received messages in the storage unit 13.
  • the monitoring apparatus 10 monitors a message transmitted / received via the communication line 2, determines that the message is an illegal message, and stores the ID attached to the message subjected to the discarding process. To remember.
  • a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, and an erasure are executed by executing a program for monitoring processing stored in a ROM or the like.
  • the processing unit 24 and the like are realized as software function blocks.
  • the determination processing unit 21 determines whether the message transmitted by the ECU 30 on the communication line 2 is a regular message. In the present embodiment, the determination method of the message by the determination processing unit 21 is not specified.
  • the determination processing unit 21 may be configured to perform determination based on, for example, a MAC attached to a message, or may be configured to determine, for example, a message with an ID not registered in advance as an unauthorized message. Alternatively, the determination may be made by a method other than these methods.
  • the discard processing unit 22 performs a process of causing all the ECUs 30 connected to the communication line 2 to discard the message that the determination processing unit 21 determines is not a regular message, that is, an unauthorized message. Specifically, the discard processing unit 22 discards the invalid message by outputting an error frame from the communication unit 12 to the communication line 2 before the transmission of the invalid message output to the communication line 2 is completed.
  • the processing unit 11 stores the ID attached to the unauthorized message in the storage unit 13 as a discard ID. In the present embodiment, one ID is stored in the storage unit 13 as the discard ID.
  • the notification processing unit 23 determines whether or not the ID of the message output to the communication line 2 matches the ID stored as the discard ID in the storage unit 13. When both IDs match, the notification processing unit 23 performs a process of notifying the completion of reception of this message regardless of whether or not this message is genuine. Specifically, the notification processing unit 23 outputs an ACK to the communication line 2 in the communication unit 12 in response to the transmission of this message, thereby notifying the ECU 30 that is the transmission source of this message of the reception completion. Since the notification processing unit 23 performs notification processing, it is possible to notify the transmission source of the unauthorized message that the reception has been completed, so that it is possible to prevent the unauthorized message from being retransmitted.
  • the erasure processing unit 24 performs processing for erasing the ID stored as the discard ID in the storage unit 13 from the storage unit 13 when the notification processing unit 23 outputs ACK.
  • the erasure processing unit 24 erases the discard ID, it is possible to prevent each ECU 30 from performing processing based on a regular message with the same ID as the discard ID.
  • Each ECU 30 (but regular ECU 30) included in the in-vehicle communication system according to the present embodiment includes a processing unit 31, a communication unit 32, a storage unit 33, and the like.
  • the processing unit 31 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to the control of the vehicle 1.
  • the communication unit 32 is for transmitting and receiving messages to and from other ECUs 30 via the communication line 2 and can be configured using a so-called CAN controller.
  • the communication unit 32 receives the message by sampling the potential of the communication line 2 and gives the message to the processing unit 31, converts the message for transmission given from the processing unit 31 into an electrical signal, and outputs it to the communication line 2. Message can be sent.
  • the ECU 30 can receive the message transmitted from the other ECU 30 by the communication unit 32 and perform processing based on the received message in the processing unit 31. Moreover, ECU30 can transmit the information produced
  • the processing unit 31 can perform a control process for switching on / off of.
  • the process which ECU30 performs based on a received message is not limited to this, What kind of process may be sufficient.
  • the storage unit 33 is configured using a memory element capable of rewriting data, such as SRAM or DRAM.
  • the processing unit 31 can store various data related to control in the storage unit 32.
  • the ECU 30 according to the present embodiment discards this message in the middle of the reception process when the monitoring apparatus 10 outputs an error frame before the message output to the communication line 2 is completely transmitted.
  • the ID attached to this message is stored in the storage unit 33 as a discard ID.
  • one ID is stored in the storage unit 33 as the discard ID.
  • a prohibition processing unit 41 is realized as a software functional block by executing a program for communication processing stored in a ROM or the like.
  • the prohibition processing unit 41 prohibits processing using a message with the same ID as the discard ID stored in the storage unit 33. Accordingly, when the communication unit 32 receives a message with the same ID as the discard ID stored in the storage unit 33, the processing unit 31 does not perform processing using this message. Accordingly, it is possible to prevent each ECU 30 from performing a process based on a message having the same ID as the message for which the monitoring apparatus 10 determines that the information is invalid and the discard process is performed.
  • the prohibition processing unit 41 stores an output of an ACK notifying completion of reception and the storage unit 33. The process of deleting the discarded ID is performed. (That is, the prohibition processing unit 41 also performs substantially the same processing as the notification processing unit 23 and the erasure processing unit 24 of the monitoring device 10).
  • FIG. 2 is a flowchart showing the procedure of the monitoring process performed by the monitoring apparatus 10 according to the present embodiment.
  • the processing unit 11 of the monitoring apparatus 10 determines whether or not the message transmission of the ECU 30 to the communication line 2 has been performed (step S1). When message transmission is not performed (S1: NO), the processing unit 11 stands by until message transmission by the ECU 30 is performed. When the message transmission by the ECU 30 is performed (S1: YES), the processing unit 11 acquires the message ID when the message ID is output to the communication line 2 (step S2). Further, the processing unit 11 acquires the ID stored as the discard ID in the storage unit 13 (step S3). If the discard ID is not stored in the storage unit 13 at this time, the processing unit 11 may not acquire the ID.
  • the processing unit 11 determines whether or not the ID acquired in step S2 matches the ID acquired in step S3 (step S4). If the discard ID cannot be acquired in step S3, the processing unit 11 may determine that the IDs do not match in step S4. When both IDs do not match (S4: NO), the determination processing unit 21 of the processing unit 11 acquires this authentication information when the authentication information (MAC) included in the message is output to the communication line 2, The acquired authentication information is determined to be correct (step S5), and it is determined whether the message being transmitted to the communication line 2 is a regular message (step S6).
  • authentication information is attached to the message, and it is configured to determine whether the message is correct based on this authentication information.
  • the message correctness determination is not limited to using authentication information. You may carry out by the method.
  • the discard processing unit 22 of the processing unit 11 performs communication before completing the transmission of this message.
  • An error frame is output to the line 2 (step S7), and the ECU 30 discards this message.
  • the processing unit 11 stores the ID of this message as a discard ID in the storage unit 13 (step S8), and ends the process.
  • the determination processing unit 21 determines that the message being transmitted to the communication line 2 is a regular message (S6: YES)
  • the notification processing unit 23 of the processing unit 11 outputs an ACK to the communication line 2 (step S9). ), Notify the completion of reception of this message.
  • the processing unit 11 deletes the ID stored as the discard ID in the storage unit 13 (step S10), and ends the process.
  • the processing unit 31 of the ECU 30 according to the present embodiment determines whether or not a message is transmitted from another ECU 30 to the communication line 2 (step S21). If message transmission is not performed (S21: NO), the processing unit 31 waits until message transmission by another ECU 30 is performed. When the message is transmitted by another ECU 30 (S21: YES), the processing unit 31 acquires the message ID when the message ID is output to the communication line 2 (step S22). Further, the processing unit 31 acquires an ID stored as a discard ID in the storage unit 33 (step S23). If the discard ID is not stored in the storage unit 33 at this time, the processing unit 31 may not acquire the ID.
  • the processing unit 31 determines whether or not the ID acquired in step S22 matches the ID acquired in step S23 (step S24). If the discard ID cannot be acquired in step S23, the processing unit 31 may determine that the IDs do not match in step S24. If the two IDs do not match (S24: NO), the processing unit 31 determines whether or not an error frame has been received before the completion of transmission of this message (step S25). If no error frame has been received (S25: NO), the processing unit 31 receives a message output to the communication line 2 (step S26). The processing unit 31 outputs ACK to the communication line 2 (step S27) and notifies the completion of reception of this message. Thereafter, the processing unit 31 performs processing based on the received message (step S28) and ends the processing.
  • the processing unit 31 interrupts the reception process of this message and discards this message (step S29). Further, the processing unit 31 stores the ID of this message as a discard ID in the storage unit 33 (step S30), and ends the process.
  • step S31 If the ID acquired in step S22 matches the ID acquired in step S23 (S24: YES), the prohibition processing unit 41 of the processing unit 31 prohibits processing based on the received message (step S31).
  • the processing unit 31 outputs ACK to the communication line 2 (step S32) and notifies the completion of reception of this message.
  • step S33 the processing unit 31 deletes the ID stored as the discard ID in the storage unit 33 (step S33) and ends the process.
  • the determination is made as to whether or not it is a legitimate message in the in-vehicle communication system in which a plurality of ECUs 30 are connected via the common communication line 2.
  • the monitoring apparatus 10 including the notification processing unit 23 that performs processing to output an ACK signal indicating completion of reception is provided. Note that the discard processing unit 22 does not perform the discard process on the message with the ID stored as the discard ID in the storage unit 13.
  • each ECU 30 stores the ID attached to the message that has been discarded by the monitoring device 10 as a discard ID in the storage unit 33, and the prohibition processing unit 41 has the message that is assigned the ID stored in the storage unit 33. By prohibiting processing based on, the processing based on illegal messages is not performed.
  • the discard processing unit 22 of the monitoring device 10 discards the first transmission of an invalid message, and the ID of the discarded message is the monitoring device. 10 and ECU 30 respectively.
  • the monitoring device 10 and the ECU 30 store the IDs attached to the retransmitted message.
  • the discard processing unit 22 does not perform the discarding and the notification processing unit 23 outputs the reception completion ACK signal.
  • each ECU 30 is prohibited from performing the processing based on the unauthorized message.
  • an unauthorized ECU that has transmitted the unauthorized message determines that this message has been received by another ECU 30, so that the unauthorized message is retransmitted. Disappear.
  • the erasure processing unit 24 of the monitoring device 10 erases the ID stored as the discard ID in the storage unit 13 when the reception processing ACK signal is output by the notification processing unit 23.
  • each ECU 30 erases the ID stored in the storage unit 33 when receiving a message with the ID stored as the discard ID in the storage unit 33. Thereby, it can prevent that the process based on the regular message to which the same ID as an illegal message is attached
  • the monitoring apparatus 10 is configured such that the processing unit 11 performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, and the erasure processing unit 24.
  • the present invention is not limited to this.
  • the storage unit 13 may be configured to be directly accessible by the communication unit 12 or may be provided in the communication unit 12.
  • the ECU 30 has a configuration in which the processing of the prohibition processing unit 41 is performed by the processing unit 31, but is not limited thereto, and may be configured by, for example, the communication unit 32.
  • each ECU 30 included in the in-vehicle communication system of the vehicle 1 performs communication according to the CAN protocol.
  • Each ECU 30 may be configured to perform communication according to a protocol other than CAN, for example, a protocol such as TCP / IP or FlexRay.
  • the on-vehicle communication system mounted on the vehicle 1 has been described as an example.
  • the present invention is not limited to this, and the on-vehicle communication system mounted on a mobile body such as an aircraft or a ship, or installed in a factory or an office.
  • the present technology may be applied to a vehicle-mounted communication system other than the vehicle-mounted communication system such as a vehicle-mounted communication system.
  • each ECU 30 may perform the processes of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, and the erasing processing unit 24.
  • FIG. 5 is a block diagram illustrating a configuration of the in-vehicle communication system according to the first modification.
  • the in-vehicle communication system according to Modification 1 does not include the monitoring device 10 that monitors messages transmitted and received on the communication line 2, and each ECU 130 connected to the communication line 2 monitors the message.
  • Each ECU 130 executes a predetermined program stored in a ROM or the like, so that a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, an erasing processing unit 24, a prohibition processing unit 41, etc. Realized as a functional block.
  • the processing performed by these functional blocks is substantially the same as that of the monitoring device 10 and the ECU 30 according to the first embodiment described above.
  • each ECU 130 according to Modification 1 determines whether or not the message transmitted from the other ECU 130 to the communication line 2 is a regular message.
  • the determination processing unit 21 may be configured to determine this message as an illegal message when, for example, a message with an ID to be transmitted by the other ECU 130 is transmitted, and for example, authentication information attached to the message It is good also as a structure which determines based on these, and it is good also as a structure which determines with a method other than these.
  • the discard processing unit 22 of each ECU 130 outputs an error frame to the communication line 2 before the transmission of this message is completed, thereby causing another ECU 130 to discard the unauthorized message. I do.
  • the processing unit 131 of each ECU 130 was attached to this message when the message was discarded by its own discard processing unit 22 and when the message was discarded by the error frame output of another ECU 130.
  • the ID is stored in the storage unit 33 as a discard ID.
  • the notification processing unit 23 of each ECU 130 outputs an ACK signal to the communication line 2 when the ID of the message transmitted to the communication line 2 matches the discard ID stored in the storage unit 33. Notify the sender of the reception completion. However, the prohibition processing unit 41 of each ECU 130 prohibits the processing based on the message with the ID that matches the discard ID stored in the storage unit 33, thereby causing the processing unit 131 of each ECU 130 to process the illegal message. No processing based on it is performed. When the notification processing unit 23 outputs an ACK signal, the deletion processing unit 24 of each ECU 130 deletes the ID stored in the storage unit 33 as the discard ID.
  • each ECU 130 includes the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the prohibition processing unit 41. It is possible to prevent the ECU from repeating retransmission of the unauthorized message.
  • FIG. 6 is a block diagram illustrating a configuration of the in-vehicle communication system according to the second modification.
  • the in-vehicle communication system according to the modified example 2 has a configuration in which the communication line 2 and the communication line 3 to which a plurality of ECUs 30 are connected are connected to the gateway 210 and the gateway 210 relays a message between the communication lines 2 and 3. .
  • the gateway 210 can be provided with a monitoring function similar to that of the monitoring device 10 according to the first embodiment.
  • the gateway 210 includes a processing unit 211, communication units 12a and 12b, and a storage unit 13.
  • the two communication units 12 a and 12 b are connected to the communication lines 2 and 3, respectively, and send and receive messages to and from the ECU 30 via the connected communication lines 2 and 3.
  • the processing unit 211 performs processing for relaying a message between the communication lines 2 and 3 by transmitting a message received by one of the communication units 12a and 12b from the other. Further, the processing unit 211 executes a predetermined program stored in a ROM or the like, so that the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the like are realized as software functional blocks. Is done.
  • the processing performed by these functional blocks is substantially the same as that of the monitoring device 10 according to the first embodiment described above, but the message monitoring processing is individually performed for the two communication lines 2 and 3.
  • the message monitoring function is provided in the gateway 210 to which the plurality of communication lines 2 and 3 are connected.
  • message monitoring can be performed centrally at the gateway 210, and the in-vehicle communication system can be reduced in size and cost compared to the configuration in which the monitoring devices 10 are provided on the communication lines 2 and 3, respectively. it can.
  • FIG. 7 is a block diagram illustrating a configuration of the in-vehicle communication system according to the second embodiment.
  • the in-vehicle communication system according to the second embodiment has a configuration in which a plurality of ECUs 330 mounted on the vehicle 1 are connected via a common communication line 2.
  • a monitoring device 310 that monitors transmission / reception of messages of the ECU 330 via the line 2 is provided.
  • the monitoring device 310 includes a processing unit 311, a communication unit 12, a storage unit 13, a counter 314, and the like.
  • the processing unit 311 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to message monitoring by executing a program stored in a ROM (not shown) or the like.
  • the counter 314 is a circuit that stores a numerical value, and increments (counts up) the stored numerical value in response to the addition instruction given from the processing unit 311 and sets the stored numerical value to 0 in response to the initialization instruction. initialize. In the second embodiment, the counter 314 counts the number of times that a message is determined to be invalid and discarded.
  • a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, and an erasure are performed by executing a program for monitoring processing stored in a ROM or the like.
  • the processing unit 24, the initialization processing unit 325, and the like are realized as software functional blocks.
  • the determination processing unit 21 determines whether or not the message transmitted by the ECU 330 on the communication line 2 is a regular message. When the determination processing unit 21 determines that the message is not a legitimate message, the discard processing unit 22 outputs an error frame to the communication line 2 before completing the transmission of the message, thereby causing the ECU 330 to discard the invalid message. Do.
  • the processing unit 311 stores the ID attached to the unauthorized message as a discard ID in the storage unit 13 and counts up the counter 314.
  • the processing unit 311 determines whether or not the ID of this message matches the discard ID stored in the storage unit 13. If the two IDs do not match, it is determined that the invalid message has not been retransmitted, the initialization processing unit 325 of the processing unit 311 initializes the counter 314, and the deletion processing unit 24 stores it in the storage unit 13. Delete the discard ID. When both IDs match, the processing unit 311 determines whether or not the numerical value stored in the counter 314 exceeds a predetermined number. When the numerical value of the counter 314 does not exceed the predetermined number, similarly to the above, the determination processing unit 21 determines whether the message is a regular message, and the discard processing unit 22 discards the invalid message.
  • the notification processing unit 23 When the value of the counter 314 exceeds a predetermined number, the notification processing unit 23 outputs an ACK to the communication line 2 at the communication unit 12 in response to the transmission of this message regardless of whether the message is genuine or not. As a result, the message transmission source is notified of the reception completion.
  • the notification processing unit 23 When the notification processing unit 23 outputs an ACK, the erasure processing unit 24 performs a process of erasing the ID stored as the discard ID in the storage unit 13 from the storage unit 13.
  • the initialization processing unit 325 performs processing for initializing the counter 314.
  • Each ECU 330 included in the in-vehicle communication system according to Embodiment 2 includes a processing unit 331, a communication unit 32, a storage unit 33, a counter 334, and the like.
  • the processing unit 331 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to the control of the vehicle 1.
  • a prohibition processing unit 41 is realized as a software functional block by executing a program for communication processing stored in a ROM or the like.
  • the counter 334 is a circuit that stores a numerical value, counts up the stored numerical value in response to the addition command given from the processing unit 331, and initializes the stored numerical value to 0 in response to the initialization command. .
  • the processing unit 331 of each ECU 330 stores the ID attached to this message in the storage unit 33. .
  • the prohibition processing unit 41 prohibits processing using a message with the same ID as the discard ID stored in the storage unit 33.
  • the processing unit 331 determines whether the ID of this message matches the discard ID stored in the storage unit 33. If the two IDs do not match, it is determined that the invalid message has not been retransmitted, and the processing unit 331 initializes the counter 334 and erases the discard ID stored in the storage unit 33.
  • the processing unit 331 determines whether or not the numerical value stored in the counter 334 exceeds a predetermined number. Note that the predetermined number that the ECU 330 compares with the counter 334 is the same value as the predetermined number that the monitoring device 310 compares with the counter 314. If the value of the counter 334 does not exceed the predetermined number, the processing unit 331 performs a normal message reception process (however, this message may be discarded by the monitoring device 310).
  • the processing unit 331 When the numerical value of the counter 334 exceeds a predetermined number, the processing unit 331 notifies the transmission source of the message of reception completion by outputting an ACK to the communication line 2 in the communication unit 32 in response to the transmission of this message. At this time, the processing unit 331 performs processing for deleting the ID stored as the discard ID in the storage unit 33 and initializing the counter 334.
  • FIG. 8 is a flowchart showing the procedure of the monitoring process performed by the monitoring apparatus 310 according to the second embodiment.
  • the processing unit 311 of the monitoring device 310 according to the second embodiment determines whether or not the message transmission of the ECU 330 to the communication line 2 has been performed (step S51). When message transmission is not performed (S51: NO), the process part 311 waits until message transmission by ECU330 is performed. When the message transmission is performed by the ECU 330 (S51: YES), the processing unit 311 acquires the message ID when the message ID is output to the communication line 2 (step S52). Further, the processing unit 311 acquires the ID stored as the discard ID in the storage unit 13 (step S53). If the discard ID is not stored in the storage unit 13 at this time, the processing unit 11 may not acquire the ID.
  • the processing unit 311 determines whether or not the ID acquired in step S52 matches the ID acquired in step S53 (step S54). If the discard ID cannot be acquired in step S53, the processing unit 311 may determine that the IDs do not match in step S54. If the two IDs do not match (S54: NO), the initialization processing unit 325 of the processing unit 311 initializes the counter 314 (step S55). In addition, the erasure processing unit 24 of the processing unit 311 erases the ID stored as the discard ID in the storage unit 33 (step S56), and the process proceeds to step S58.
  • the processing unit 311 determines whether or not the numerical value stored in the counter 314 exceeds a predetermined number (step S57). When the numerical value of the counter 314 does not exceed the predetermined number (S57: NO), or after erasing the ID from the storage unit 33 in step S56, the determination processing unit 21 of the processing unit 311 sends a message to the communication line 2. This authentication information is acquired at the stage when the authentication information included in the message is output, the acquired authentication information is determined to be correct (step S58), and whether or not the message being transmitted to the communication line 2 is a legitimate message is determined. Determination is made (step S59).
  • the discard processing unit 22 of the processing unit 311 performs communication before the transmission of this message is completed.
  • An error frame is output to the line 2 (step S60), and this message is discarded by the ECU 330.
  • the processing unit 311 stores the ID of this message in the storage unit 13 as a discard ID (step S61).
  • the processing unit 311 adds 1 to the value of the counter 314 (step S62), and ends the processing.
  • the processing unit 311 When the value of the counter 314 exceeds a predetermined number (S57: YES), or when the determination processing unit 21 determines that the message being transmitted to the communication line 2 is a regular message (S59: YES), the processing unit 311.
  • the notification processing unit 23 outputs ACK to the communication line 2 (step S63) and notifies the completion of reception of this message.
  • the processing unit 311 deletes the ID stored as the discard ID in the storage unit 13 (step S64). Further, the processing unit 311 initializes the counter 314 (step S65) and ends the process.
  • FIGS. 9 and 10 are flowcharts showing the procedure of the reception process performed by each ECU 330 according to the second embodiment.
  • the processing unit 331 of the ECU 330 according to the second embodiment determines whether or not a message is transmitted from another ECU 330 to the communication line 2 (step S71). When message transmission is not performed (S71: NO), processing part 331 stands by until message transmission by other ECU330 is performed. When the message is transmitted by the other ECU 330 (S71: YES), the processing unit 331 acquires the message ID when the message ID is output to the communication line 2 (step S72). In addition, the processing unit 331 acquires an ID stored as a discard ID in the storage unit 33 (step S73). If the discard ID is not stored in the storage unit 33 at this time, the processing unit 331 may not acquire the ID.
  • the processing unit 331 determines whether the ID acquired in Step S72 matches the ID acquired in Step S73 (Step S74). If the discard ID cannot be acquired in step S73, the processing unit 331 may determine that the IDs do not match in step S74. If the two IDs do not match (S74: NO), the processing unit 331 determines whether or not an error frame has been received before the completion of transmission of this message (step S75). When no error frame has been received (S75: NO), the processing unit 331 receives a message output to the communication line 2 (step S76). The processing unit 331 outputs ACK to the communication line 2 (step S77) and notifies the completion of reception of this message. The processing unit 331 performs processing based on the received message (step S78). The processing unit 331 initializes the counter 334 (step S79), deletes the ID stored as the discard ID in the storage unit 33 (step S80), and ends the process.
  • the processing unit 331 interrupts this message reception process and discards this message (step S81).
  • the processing unit 331 stores the ID of this message as a discard ID in the storage unit 33 (step S82), adds 1 to the value of the counter 334 (step S83), and ends the process.
  • the processing unit 331 determines whether or not the numerical value stored in the counter 334 exceeds a predetermined number. (Step S84). When the numerical value of the counter 334 does not exceed the predetermined number (S84: NO), the processing unit 331 advances the process to step S75. When the numerical value of the counter 334 exceeds the predetermined number (S84: YES), the prohibition processing unit 41 of the processing unit 331 prohibits processing based on the received message (step S85). The processing unit 331 outputs ACK to the communication line 2 (step S86) and notifies the completion of reception of this message. Next, the processing unit 331 deletes the ID stored as the discard ID in the storage unit 33 (step S87), initializes the counter 334 (step S88), and ends the process.
  • the determination processing unit 21 that determines whether or not the message is a regular message in a system in which a plurality of ECUs 330 are connected via the common communication line 2;
  • a discard processing unit 22 that discards an unauthorized message before completion of transmission, a counter 314 that counts the number of times the message is discarded, and a notification processing unit 23 that outputs an ACK signal when the numerical value stored in the counter exceeds a predetermined number It is the structure which provided the monitoring apparatus 310 which has.
  • the discard processing unit 22 does not perform processing for discarding a message when the value of the counter 314 exceeds a predetermined number.
  • Each ECU 330 has a counter 334 that counts the number of times the message is discarded by the monitoring device 310. If the value of the counter 334 exceeds a predetermined number, processing based on the received message is prohibited and not performed.
  • the discard processing unit 22 discards an unauthorized message less than a predetermined number of times, and the counter 314 and the counter 334 determine the number of times the message is discarded. Be counted.
  • the notification processing unit 23 of the monitoring device 310 outputs an ACK signal.
  • each ECU 330 is prohibited from performing processing based on the unauthorized message.
  • the unauthorized ECU that has transmitted the unauthorized message determines that the unauthorized message has been received by the ECU 330, so that the unauthorized message is not retransmitted.
  • the monitoring device 310 also includes a storage unit 13 that stores an ID attached to a message discarded by the discard processing unit 22, and a message with an ID different from the ID stored in the storage unit 13 is transmitted to the communication line 2.
  • the counter 314 is initialized.
  • each ECU 330 includes a storage unit 33 that stores an ID attached to a message that has been discarded by the monitoring device 310, and a message with an ID different from the ID stored in the storage unit 33 is transmitted. If so, the counter 334 is initialized. As a result, counting by the counters 314 and 334 can be performed only when the same ID is continuously transmitted.
  • the counters 314 and 334 are initialized when the ACK signal is output by the notification processing unit 23 of the monitoring device 310. Thereby, it is possible to prevent the processing based on the regular message from being continuously prohibited by each ECU 330.
  • the monitoring apparatus 310 that performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the initialization processing unit 325 is provided separately from the ECU 330.
  • each ECU 330 performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the erasing processing unit 24, and the initialization processing unit 325, similarly to the configuration shown in the first modification of the first embodiment. It is good also as a structure.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Medical Informatics (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Multimedia (AREA)
  • Small-Scale Networks (AREA)
  • Communication Control (AREA)
  • Maintenance And Management Of Digital Transmission (AREA)

Abstract

Provided is a vehicle communication system which can prevent a communication line from being occupied by a repetitive unauthorized message transmission. This vehicle communication system, in which a plurality of ECUs are connected through a communication line, is provided with a monitoring device having: a determination processing unit which determines whether a message is authorized; a discard processing unit which discards an unauthorized message before the completion of transmission; a storage unit which stores the ID of a discarded message; and a notification processing unit which outputs an ACK signal indicating a reception completion when a message having an ID stored in the storage unit is received. The discard processing unit does not discard any messages with an ID stored in the storage unit. Each ECU stores, in the storage unit, the IDs assigned to messages on which a discard process has been performed by the monitoring device, and prohibits processing on the basis of messages with IDs stored in the storage unit.

Description

車載通信システムIn-vehicle communication system
 本発明は、共通の通信線に接続された複数の通信装置がメッセージの送受信を行う車載通信システムに関する。 The present invention relates to an in-vehicle communication system in which a plurality of communication devices connected to a common communication line transmit and receive messages.
 従来、車両には複数のECU(Electronic Control Unit)が搭載され、これらがCAN(Controller Area Network)などのネットワークを介して接続されている。これら複数のECUは、ネットワークを介して情報を交換しながら各個の処理を進めている。近年では車両内のネットワークの規模が大きくなる傾向がある。このような車両のネットワークに対する攻撃として、例えばECUに不正なプログラムを注入することが行われ得る。不正なプログラムを注入されたECUは、車両のネットワークへ不正なメッセージ送信を行う可能性があり、これによりネットワークに接続された他のECUが誤動作するなどの虞がある。 Conventionally, a plurality of ECUs (Electronic Control Units) are mounted on a vehicle, and these are connected via a network such as CAN (Controller Area Network). The plurality of ECUs proceed with each process while exchanging information via a network. In recent years, there is a tendency that the size of a network in a vehicle becomes large. As an attack on such a vehicle network, for example, an unauthorized program can be injected into the ECU. An ECU into which an unauthorized program has been injected may transmit an unauthorized message to the vehicle network, which may cause other ECUs connected to the network to malfunction.
 特許文献1においては、CANプロトコルを変更せずにMAC(Message Authentication Code)によるメッセージ認証を行う通信システムが提案されている。この通信システムにおいては、各ECUがCAN-ID毎にメッセージの送信回数をカウントする。送信ノードは、メインメッセージのデータフィールド、CAN-ID及びカウント値からMACを生成してMACメッセージとして送信する。受信ノードは、受信したメインメッセージに含まれるデータフィールド、CAN-IDとカウント値とからMACを生成し、MACメッセージに含まれるMACと一致するかを判断する。 Patent Document 1 proposes a communication system that performs message authentication by MAC (Message Authentication Code) without changing the CAN protocol. In this communication system, each ECU counts the number of message transmissions for each CAN-ID. The transmission node generates a MAC from the data field of the main message, the CAN-ID and the count value, and transmits it as a MAC message. The receiving node generates a MAC from the data field, CAN-ID, and count value included in the received main message, and determines whether the MAC matches the MAC included in the MAC message.
 非特許文献1においては、各ECUがネットワーク上を流れるメッセージを監視し、自身が送信するはずのCAN-IDが付されたメッセージが他のECUから送信された場合にこれを不正メッセージと判断し、不正メッセージを検出したECUが不正メッセージの送信完了前にエラーフレームを送信することで送信を阻止する通信システムが提案されている。 In Non-Patent Document 1, each ECU monitors a message flowing on the network, and when a message with a CAN-ID to be transmitted from another ECU is transmitted from another ECU, it is determined as an illegal message. A communication system has been proposed in which an ECU that detects an illegal message transmits an error frame before transmission of the illegal message is completed, thereby preventing transmission.
特開2013-98719号公報JP 2013-98719 A
 非特許文献1に記載の通信システムでは、不正メッセージを検出したECUがエラーフレームを送信して不正メッセージの送信を阻止している。しかしながら、メッセージの送信がエラーとなったECU(不正なECU)は、このメッセージがエラーなく送信されるまで、メッセージの再送信を繰り返すこととなる。このようなメッセージの再送信が繰り返され続けた場合、これにより通信線が占有されてしまい、他のECUによる正規のメッセージ送信が阻害される虞がある。 In the communication system described in Non-Patent Document 1, an ECU that detects an unauthorized message transmits an error frame to prevent the unauthorized message from being transmitted. However, the ECU (illegal ECU) in which the message transmission is in error repeats the message retransmission until the message is transmitted without error. When such re-transmission of the message continues, the communication line is occupied by this, and there is a possibility that regular message transmission by other ECUs may be hindered.
 本発明は、斯かる事情に鑑みてなされたものであって、その目的とするところは、不正なメッセージ送信が繰り返されて通信線が占有されることを防止し得る車載通信システムを提供することにある。 The present invention has been made in view of such circumstances, and an object of the present invention is to provide an in-vehicle communication system capable of preventing communication lines from being occupied due to repeated unauthorized message transmission. It is in.
 本発明に係る車載通信システムは、車両に搭載された複数の通信装置が共通の通信線を介して接続された車載通信システムにおいて、前記通信線上に送信されたメッセージが正規のメッセージであるか否かを判定する判定部と、前記判定部が正規のメッセージでないと判定したメッセージを、該メッセージの送信完了前に破棄させる処理を行う破棄部と、前記破棄部により破棄されたメッセージの識別情報を記憶する記憶部と、前記記憶部に記憶された識別情報が付されたメッセージを受信した場合に、前記判定部の判定結果に関わらず、当該メッセージの受信を完了したことを示す信号を前記通信線へ出力する受信完了通知部とを備え、各通信装置は、前記記憶部に記憶された識別情報が付されたメッセージに基づく処理を禁止する禁止部を有し、前記破棄部は、前記記憶部に記憶された識別情報が付されたメッセージに対しては破棄させる処理を行わないことを特徴とする。 The in-vehicle communication system according to the present invention is an in-vehicle communication system in which a plurality of communication devices mounted on a vehicle are connected via a common communication line, and whether or not the message transmitted on the communication line is a regular message. A determination unit that determines whether the message is determined not to be a legitimate message, a discard unit that performs processing for discarding the message before transmission completion of the message, and identification information of the message discarded by the discard unit When receiving a message to which the storage unit stores and identification information stored in the storage unit, a signal indicating that the reception of the message is completed is received regardless of a determination result of the determination unit. A reception completion notification unit that outputs to a line, and each communication device is prohibited from performing processing based on a message with identification information stored in the storage unit Has, the discard unit may not perform the processing to discard for identification information stored in the storage unit is attached message.
 また、本発明に係る車載通信システムは、前記受信完了通知部による前記信号が出力された場合に、前記記憶部に記憶された識別情報を消去する記憶消去部を備えることを特徴とする。 In addition, the in-vehicle communication system according to the present invention includes a storage erasure unit that erases the identification information stored in the storage unit when the signal is output from the reception completion notification unit.
 また、本発明に係る車載通信システムは、前記通信線に接続され、前記判定部、前記破棄部及び前記記憶部を有し、前記通信線上に送信されたメッセージの監視を行う監視装置を備え、各通信装置は、前記記憶部を有し、前記監視装置及び前記複数の通信装置のうちの少なくとも1つの装置は、前記受信完了通知部を有することを特徴とする。 Further, the in-vehicle communication system according to the present invention includes a monitoring device that is connected to the communication line, includes the determination unit, the discard unit, and the storage unit, and monitors a message transmitted on the communication line, Each communication device includes the storage unit, and at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
 また、本発明に係る車載通信システムは、各通信装置が、前記判定部、前記破棄部及び前記記憶部を有し、前記複数の通信装置のうちの少なくとも1つの通信装置は、前記受信完了通知部を有することを特徴とする。 In the in-vehicle communication system according to the present invention, each communication device includes the determination unit, the discard unit, and the storage unit, and at least one of the plurality of communication devices is configured to receive the reception completion notification. It has the part.
 また、本発明に係る車載通信システムは、車両に搭載された複数の通信装置が共通の通信線を介して接続された車載通信システムにおいて、前記通信線上に送信されたメッセージが正規のメッセージであるか否かを判定する判定部と、前記判定部が正規のメッセージでないと判定したメッセージを、該メッセージの送信完了前に破棄させる処理を行う破棄部と、前記破棄部によりメッセージが破棄された回数をカウントするカウンタと、前記カウンタがカウントした回数が所定回数を超える場合に、前記判定部の判定結果に関わらず、当該メッセージの受信を完了したことを示す信号を前記通信線へ出力する受信完了通知部とを備え、各通信装置は、前記カウンタがカウントした回数が所定回数を超える場合、受信したメッセージに基づく処理を禁止する禁止部を有し、前記破棄部は、前記カウンタがカウントした回数が所定回数を超える場合にメッセージを破棄させる処理を行わないことを特徴とする。 Moreover, in the in-vehicle communication system according to the present invention, in a vehicle-mounted communication system in which a plurality of communication devices mounted on a vehicle are connected via a common communication line, a message transmitted on the communication line is a regular message. A determination unit that determines whether the message is not a legitimate message, a discard unit that performs processing for discarding the message before transmission completion of the message, and the number of times the message is discarded by the discard unit And a reception completion signal for outputting to the communication line a signal indicating that the reception of the message is completed regardless of the determination result of the determination unit when the counter count exceeds a predetermined number Each communication device is based on the received message when the number of times counted by the counter exceeds a predetermined number Has a prohibition unit that prohibits physical, it said discarding unit is characterized in that number of times the counter has counted does not perform processing to discard the message if it exceeds a predetermined number of times.
 また、本発明に係る車載通信システムは、前記破棄部によりメッセージが破棄された場合に、破棄されたメッセージの識別情報を記憶する記憶部と、該記憶部に記憶された識別情報とは異なる識別情報が付されたメッセージが前記通信線に送信された場合に、前記カウンタを初期化する初期化部とを備えることを特徴とする。 In the in-vehicle communication system according to the present invention, when a message is discarded by the discard unit, a storage unit that stores identification information of the discarded message and an identification different from the identification information stored in the storage unit And an initialization unit that initializes the counter when a message with information is transmitted to the communication line.
 また、本発明に係る車載通信システムは、前記受信完了通知部による信号が出力された場合に、前記カウンタを初期化する初期化部を備えることを特徴とする。 In addition, the in-vehicle communication system according to the present invention includes an initialization unit that initializes the counter when a signal from the reception completion notification unit is output.
 また、本発明に係る車載通信システムは、前記通信線に接続され、前記判定部、前記破棄部及び前記カウンタを有し、前記通信線上に送信されたメッセージの監視を行う監視装置を備え、各通信装置は、前記カウンタを有し、前記監視装置及び前記複数の通信装置のうちの少なくとも1つの装置は、前記受信完了通知部を有することを特徴とする。 The in-vehicle communication system according to the present invention includes a monitoring device that is connected to the communication line, includes the determination unit, the discard unit, and the counter, and that monitors a message transmitted on the communication line, The communication device includes the counter, and at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
 また、本発明に係る車載通信システムは、各通信装置が、前記判定部、前記破棄部及び前記カウンタを有し、前記複数の通信装置のうちの少なくとも1つの通信装置は、前記受信完了通知部を有することを特徴とする。 In the in-vehicle communication system according to the present invention, each communication device includes the determination unit, the discard unit, and the counter, and at least one communication device of the plurality of communication devices includes the reception completion notification unit. It is characterized by having.
 また、本発明に係る車載通信システムは、前記監視装置は、複数の通信線に接続されて、通信線間のメッセージを中継するゲートウェイ装置であることを特徴とする。 In the in-vehicle communication system according to the present invention, the monitoring device is a gateway device connected to a plurality of communication lines and relaying messages between the communication lines.
 本発明においては、共通の通信線を介して複数の通信装置が接続された構成の車載通信システム中に、正規のメッセージであるか否かを判定する判定部、正規でないメッセージを送信完了前に破棄させる破棄部、破棄されたメッセージに付された識別情報を記憶する記憶部、及び、この記憶部に記憶された識別情報のメッセージを受信した場合に受信完了を示す信号を出力する受信完了通知部を設ける。なお判定部、破棄部、記憶部及び受信完了通知部は、車載通信システムに含まれる各通信装置が備える構成であってもよく、通信線に接続された監視装置が備える構成であってもよい。
 車載通信システムの各通信装置は、記憶部に記憶された識別情報が付されたメッセージに基づく処理を行わない。また破棄部は、記憶部に記憶された識別情報が付されたメッセージに対しては、このメッセージを破棄させる処理を行わない。
 即ち本車載通信システムでは、不正なメッセージの1回目の送信に対しては破棄部による破棄が行われ、このときに破棄したメッセージの識別情報が記憶される。この破棄に対して、例えば不正な通信装置が不正メッセージの再送信を行った場合、再送信されたメッセージに付された識別情報が記憶部に記憶されているため、破棄部による破棄は行われず、受信完了通知部による受信完了の信号出力が行われるが、各通信装置はこの不正メッセージに基づく処理は行わない。受信完了の信号出力が行われることにより、不正メッセージを送信した不正な通信装置では、不正メッセージが他の通信装置により受信されたと判断されるため、不正メッセージの再送信は行われなくなる。 In the present invention, in the in-vehicle communication system configured to connect a plurality of communication devices via a common communication line, a determination unit that determines whether or not the message is a legitimate message, before sending a message that is not legitimate A discard unit for discarding, a storage unit for storing identification information attached to a discarded message, and a reception completion notification for outputting a signal indicating completion of reception when a message of the identification information stored in the storage unit is received Provide a part. The determination unit, the discard unit, the storage unit, and the reception completion notification unit may be provided in each communication device included in the in-vehicle communication system, or may be provided in a monitoring device connected to the communication line. .
Each communication device of the in-vehicle communication system does not perform processing based on the message with the identification information stored in the storage unit. The discarding unit does not perform processing for discarding the message to which the identification information stored in the storage unit is attached.
That is, in the in-vehicle communication system, the discarding unit performs discarding for the first transmission of an invalid message, and the identification information of the discarded message is stored at this time. In response to this discarding, for example, when an unauthorized communication device retransmits an unauthorized message, the discarding unit is not discarded because the identification information attached to the retransmitted message is stored in the storage unit. Although the reception completion signal is output by the reception completion notification unit, each communication device does not perform processing based on the unauthorized message. When the reception completion signal is output, the unauthorized communication device that has transmitted the unauthorized message determines that the unauthorized message has been received by another communication device, so that the unauthorized message is not retransmitted.
 また本発明においては、破棄されたメッセージの識別情報を記憶する記憶部は、受信完了通知部による受信完了の信号出力が行われた場合に、記憶している識別情報を消去する。これにより、不正なメッセージと同じ識別情報が付される正規のメッセージに基づく処理が各ECUにて行われなくなることを防止できる。 In the present invention, the storage unit that stores the identification information of the discarded message erases the stored identification information when the reception completion notification unit outputs a reception completion signal. Thereby, it can prevent that processing based on the regular message to which the same identification information as an illegal message is attached | subjected is not performed by each ECU.
 また本発明においては、共通の通信線を介して複数の通信装置が接続された構成の車載通信システム中に、正規のメッセージであるか否かを判定する判定部、正規でないメッセージを送信完了前に破棄させる破棄部、メッセージが破棄された回数をカウントするカウンタ、及び、カウンタがカウントした回数が所定回数を超える場合に受信完了を示す信号を出力する受信完了通知部を設ける。なお判定部、破棄部、カウンタ及び受信完了通知部は、車載通信システムに含まれる各通信装置が備える構成であってもよく、通信線に接続された監視装置が備える構成であってもよい。
 車載通信システムの各通信装置は、カウンタがカウントした回数が所定回数を超える場合に、受信メッセージに基づく処理を行わない。また破棄部は、カウンタがカウントした回数が所定回数を超える場合、メッセージを破棄させる処理を行わない。
 即ち本車載通信システムでは、不正なメッセージの所定回数以下の送信に対しては破棄部による破棄が行われ、このときにメッセージを破棄した回数がカウンタによりカウントされる。この破棄に対して、例えば不正な通信装置が不正メッセージの再送信を繰り返し行って、破棄の回数が所定回数を超えた場合、受信完了通知部による受信完了の信号出力が行われるが、各通信装置はこの不正メッセージに基づく処理は行わない。受信完了の信号出力が行われることにより、不正メッセージを送信した不正な通信装置では、不正メッセージが他の通信装置により受信されたと判断されるため、不正メッセージの再送信は行われなくなる。 In the present invention, in the in-vehicle communication system configured to connect a plurality of communication devices via a common communication line, a determination unit that determines whether or not the message is a normal message, before the transmission of the non-normal message is completed A discarding unit that discards the message, a counter that counts the number of times the message is discarded, and a reception completion notifying unit that outputs a signal indicating reception completion when the number of times the counter has counted exceeds a predetermined number. The determination unit, the discard unit, the counter, and the reception completion notification unit may be configured in each communication device included in the in-vehicle communication system, or may be configured in a monitoring device connected to the communication line.
Each communication device of the in-vehicle communication system does not perform processing based on the received message when the number of times counted by the counter exceeds a predetermined number. The discarding unit does not perform processing for discarding the message when the number of times counted by the counter exceeds a predetermined number.
In other words, in this in-vehicle communication system, the discarding unit discards an illegal message less than a predetermined number of times, and the counter counts the number of times the message is discarded. In response to this discard, for example, when an unauthorized communication device repeatedly retransmits an unauthorized message and the number of discards exceeds a predetermined number, a reception completion signal is output by the reception completion notification unit. The device does not perform processing based on this illegal message. When the reception completion signal is output, the unauthorized communication device that has transmitted the unauthorized message determines that the unauthorized message has been received by another communication device, so that the unauthorized message is not retransmitted.
 また本発明においては、破棄部により破棄されたメッセージに付された識別情報を記憶する記憶部を備え、記憶部に記憶された識別情報と異なる識別情報が付されたメッセージが通信線に送信された場合にはカウンタを初期化する。これにより、同一の識別情報が連続的に送信されている場合にのみカウンタによるカウントを行うことができる。 In the present invention, the storage unit stores the identification information attached to the message discarded by the discard unit, and the message with the identification information different from the identification information stored in the storage unit is transmitted to the communication line. If a counter is detected, the counter is initialized. Thereby, it is possible to perform counting by the counter only when the same identification information is continuously transmitted.
 また本発明においては、メッセージの破棄回数をカウントするカウンタは、受信完了通知部による受信完了の信号出力が行われた場合に、そのカウント値を初期化する。これにより、正規のメッセージに基づく処理が各ECUにて行われなくなることを防止できる。 In the present invention, the counter that counts the number of times the message is discarded initializes the count value when a reception completion signal is output by the reception completion notification unit. Thereby, it can prevent that the process based on a regular message is no longer performed in each ECU.
 また本発明においては、メッセージを破棄させる処理などを監視装置が行う構成とする場合、通信線間のメッセージを中継するゲートウェイ装置をこの監視装置とすることが好適である。これにより複数の通信線に対する破棄処理などをゲートウェイ装置が一括して行うことができる。 In the present invention, when the monitoring device is configured to perform processing such as discarding a message, it is preferable that the monitoring device is a gateway device that relays messages between communication lines. As a result, the gateway device can collectively perform a discarding process for a plurality of communication lines.
 本発明による場合は、不正メッセージを破棄した後、更に不正メッセージの再送信が繰り返される場合には、不正メッセージを破棄せずに受信完了の信号を出力し、このメッセージに基づく処理を各通信装置が行わない構成とすることにより、不正なメッセージ送信が繰り返されて通信線が占有されることを防止できる。 In the case of the present invention, after the invalid message is discarded, if the retransmission of the invalid message is repeated, the reception completion signal is output without discarding the invalid message, and the processing based on this message is performed by each communication device. By adopting a configuration in which the communication line is not performed, it is possible to prevent the communication line from being occupied due to repeated unauthorized message transmission.
実施の形態1に係る車載通信システムの構成を示す模式図である。1 is a schematic diagram illustrating a configuration of an in-vehicle communication system according to Embodiment 1. FIG. 本実施の形態に係る監視装置が行う監視処理の手順を示すフローチャートである。It is a flowchart which shows the procedure of the monitoring process which the monitoring apparatus which concerns on this Embodiment performs. 本実施の形態に係る各ECUが行う受信処理の手順を示すフローチャートである。It is a flowchart which shows the procedure of the reception process which each ECU which concerns on this Embodiment performs. 本実施の形態に係る各ECUが行う受信処理の手順を示すフローチャートである。It is a flowchart which shows the procedure of the reception process which each ECU which concerns on this Embodiment performs. 変形例1に係る車載通信システムの構成を示すブロック図である。It is a block diagram which shows the structure of the vehicle-mounted communication system which concerns on the modification 1. 変形例2に係る車載通信システムの構成を示すブロック図である。It is a block diagram which shows the structure of the vehicle-mounted communication system which concerns on the modification 2. 実施の形態2に係る車載通信システムの構成を示すブロック図である。6 is a block diagram illustrating a configuration of an in-vehicle communication system according to Embodiment 2. FIG. 実施の形態2に係る監視装置が行う監視処理の手順を示すフローチャートである。10 is a flowchart illustrating a procedure of monitoring processing performed by the monitoring device according to the second embodiment. 実施の形態2に係る各ECUが行う受信処理の手順を示すフローチャートである。7 is a flowchart illustrating a procedure of reception processing performed by each ECU according to Embodiment 2. 実施の形態2に係る各ECUが行う受信処理の手順を示すフローチャートである。7 is a flowchart illustrating a procedure of reception processing performed by each ECU according to Embodiment 2.
(実施の形態1)
 以下、本発明をその実施の形態を示す図面に基づき具体的に説明する。図1は、実施の形態1に係る車載通信システムの構成を示す模式図である。実施の形態1に係る車載通信システムは、車両1に搭載された複数のECU30が共通の通信線2を介して接続された構成であり、通信線2を介したECU30のメッセージの送受信を監視する監視装置10を備えている。 (Embodiment 1)
Hereinafter, the present invention will be specifically described with reference to the drawings showing embodiments thereof. FIG. 1 is a schematic diagram showing the configuration of the in-vehicle communication system according to the first embodiment. The in-vehicle communication system according to Embodiment 1 has a configuration in which a plurality of ECUs 30 mounted on a vehicle 1 are connected via a common communication line 2 and monitors transmission / reception of messages of the ECU 30 via the communication line 2. A monitoring device 10 is provided.
 監視装置10は、処理部11、通信部12及び記憶部13等を備えて構成されている。処理部11は、CPU(Central Processing Unit)又はMPU(Micro-Processing Unit)等の演算処理装置を用いて構成され、図示しないROM(Read Only Memory)などに記憶されたプログラムを実行することにより、メッセージの監視に係る種々の処理を行う。 The monitoring apparatus 10 includes a processing unit 11, a communication unit 12, a storage unit 13, and the like. The processing unit 11 is configured using an arithmetic processing device such as a CPU (Central Processing Unit) or an MPU (Micro-Processing Unit), and by executing a program stored in a ROM (Read Only Memory) or the like (not shown), Various processes related to message monitoring are performed.
 通信部12は、通信線2が接続され、この通信線2を介して他のECU30との間でメッセージの送受信を行うことができる。通信部12は、いわゆるCANコントローラを用いて構成され得る。通信部12は、通信線2の電位をサンプリングすることによってメッセージを受信し処理部11へ与えると共に、処理部11から与えられた送信用のメッセージを電気信号に変換して通信線2へ出力することによってメッセージを送信することができる。ただし本実施の形態に係る監視装置10はECU30との間でメッセージの送受信を行う必要はなく、通信部12は通信線2を介してECU30の間で送受信されるメッセージを監視するために用いられる。 The communication unit 12 is connected to the communication line 2, and can send and receive messages to and from other ECUs 30 via the communication line 2. The communication unit 12 can be configured using a so-called CAN controller. The communication unit 12 receives the message by sampling the potential of the communication line 2 and gives the message to the processing unit 11, and also converts the message for transmission given from the processing unit 11 into an electric signal and outputs it to the communication line 2. Message can be sent. However, the monitoring device 10 according to the present embodiment does not need to transmit / receive messages to / from the ECU 30, and the communication unit 12 is used to monitor messages transmitted / received between the ECUs 30 via the communication line 2. .
 記憶部13は、例えばSRAM(Static Random Access Memory)又はDRAM(Dynamic Random Access Memory)等のデータ書き換えが可能なメモリ素子を用いて構成されている。処理部11は、受信メッセージなどの種々のデータを記憶部13に記憶することができる。ただし本実施の形態に係る監視装置10は、通信線2を介して送受信されるメッセージを監視し、不正メッセージであると判断して破棄処理を行ったメッセージに付されていたIDを記憶部13に記憶する。 The storage unit 13 is configured by using a memory element capable of data rewriting such as SRAM (Static Random Access Memory) or DRAM (Dynamic Random Access Memory). The processing unit 11 can store various data such as received messages in the storage unit 13. However, the monitoring apparatus 10 according to the present embodiment monitors a message transmitted / received via the communication line 2, determines that the message is an illegal message, and stores the ID attached to the message subjected to the discarding process. To remember.
 本実施の形態に係る監視装置10の処理部11には、ROMなどに記憶された監視処理のためのプログラムを実行することにより、判定処理部21、破棄処理部22、通知処理部23及び消去処理部24等がソフトウェア的な機能ブロックとして実現される。判定処理部21は、通信線2上にECU30が送信したメッセージが正規のメッセージであるか否かを判定する。なお本実施の形態において、判定処理部21によるメッセージの判定方法については規定しない。判定処理部21は、例えばメッセージに付されたMACなどに基づいて判定を行う構成であってもよく、また例えば予め登録されていないIDが付されたメッセージを不正メッセージと判定する構成であってもよく、これら以外の方法で判定を行う構成であってもよい。 In the processing unit 11 of the monitoring apparatus 10 according to the present embodiment, a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, and an erasure are executed by executing a program for monitoring processing stored in a ROM or the like. The processing unit 24 and the like are realized as software function blocks. The determination processing unit 21 determines whether the message transmitted by the ECU 30 on the communication line 2 is a regular message. In the present embodiment, the determination method of the message by the determination processing unit 21 is not specified. The determination processing unit 21 may be configured to perform determination based on, for example, a MAC attached to a message, or may be configured to determine, for example, a message with an ID not registered in advance as an unauthorized message. Alternatively, the determination may be made by a method other than these methods.
 破棄処理部22は、判定処理部21が正規のメッセージではない、即ち不正メッセージであると判定したメッセージを、通信線2に接続された全てのECU30に破棄させる処理を行う。詳しくは、破棄処理部22は、通信線2に出力された不正メッセージの送信完了前に、通信線2に対して通信部12からエラーフレームを出力することにより、不正メッセージを破棄させる。破棄処理部22が破棄処理を行った場合、処理部11は、この不正メッセージに付されていたIDを記憶部13に破棄IDとして記憶しておく。なお本実施の形態においては、記憶部13に破棄IDとして記憶されるIDは1つである。破棄処理部22が不正メッセージの破棄処理を行うことによって、不正メッセージがECU30にて受信されてこれに基づく処理が行われることを防止できる。 The discard processing unit 22 performs a process of causing all the ECUs 30 connected to the communication line 2 to discard the message that the determination processing unit 21 determines is not a regular message, that is, an unauthorized message. Specifically, the discard processing unit 22 discards the invalid message by outputting an error frame from the communication unit 12 to the communication line 2 before the transmission of the invalid message output to the communication line 2 is completed. When the discard processing unit 22 performs the discard process, the processing unit 11 stores the ID attached to the unauthorized message in the storage unit 13 as a discard ID. In the present embodiment, one ID is stored in the storage unit 13 as the discard ID. When the discard processing unit 22 performs the discard process of the unauthorized message, it is possible to prevent the unauthorized message from being received by the ECU 30 and the processing based on the unauthorized message to be performed.
 通知処理部23は、通信線2に出力されたメッセージのIDと、記憶部13に破棄IDとして記憶したIDとが一致するか否かを判定する。両IDが一致する場合、通知処理部23は、このメッセージが正規のものであるか否かに関わらず、このメッセージの受信完了を通知する処理を行う。詳しくは、通知処理部23は、このメッセージの送信に対して通信部12にて通信線2へACKを出力することにより、このメッセージの送信元のECU30へ受信完了を通知する。通知処理部23が通知処理を行うことによって、不正メッセージの送信元に受信完了を通知することができるため、不正メッセージが再送信され続けることを防止できる。 The notification processing unit 23 determines whether or not the ID of the message output to the communication line 2 matches the ID stored as the discard ID in the storage unit 13. When both IDs match, the notification processing unit 23 performs a process of notifying the completion of reception of this message regardless of whether or not this message is genuine. Specifically, the notification processing unit 23 outputs an ACK to the communication line 2 in the communication unit 12 in response to the transmission of this message, thereby notifying the ECU 30 that is the transmission source of this message of the reception completion. Since the notification processing unit 23 performs notification processing, it is possible to notify the transmission source of the unauthorized message that the reception has been completed, so that it is possible to prevent the unauthorized message from being retransmitted.
 消去処理部24は、通知処理部23によるACKの出力が行われた場合、記憶部13に破棄IDとして記憶されたIDを、記憶部13から消去する処理を行う。消去処理部24が破棄IDの消去を行うことにより、破棄IDと同じIDが付された正規のメッセージに基づく処理が各ECU30にて行われなくなることを防止できる。 The erasure processing unit 24 performs processing for erasing the ID stored as the discard ID in the storage unit 13 from the storage unit 13 when the notification processing unit 23 outputs ACK. When the erasure processing unit 24 erases the discard ID, it is possible to prevent each ECU 30 from performing processing based on a regular message with the same ID as the discard ID.
 本実施の形態に係る車載通信システムに含まれる各ECU30(ただし正規のECU30)は、処理部31、通信部32及び記憶部33等を備えて構成されている。処理部31は、CPU又はMPU等の演算処理装置を用いて構成され、車両1の制御に係る種々の処理を行う。通信部32は、他のECU30との間で通信線2を介したメッセージの送受信を行うためのものであり、いわゆるCANコントローラを用いて構成され得る。通信部32は、通信線2の電位をサンプリングすることによってメッセージを受信し処理部31へ与えると共に、処理部31から与えられた送信用のメッセージを電気信号に変換して通信線2へ出力することによってメッセージを送信することができる。 Each ECU 30 (but regular ECU 30) included in the in-vehicle communication system according to the present embodiment includes a processing unit 31, a communication unit 32, a storage unit 33, and the like. The processing unit 31 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to the control of the vehicle 1. The communication unit 32 is for transmitting and receiving messages to and from other ECUs 30 via the communication line 2 and can be configured using a so-called CAN controller. The communication unit 32 receives the message by sampling the potential of the communication line 2 and gives the message to the processing unit 31, converts the message for transmission given from the processing unit 31 into an electrical signal, and outputs it to the communication line 2. Message can be sent.
 これによりECU30は、他のECU30が送信したメッセージを通信部32にて受信し、受信したメッセージに基づく処理を処理部31にて行うことができる。またECU30は、処理部31の処理により生成した情報をメッセージとして通信部32から他のECU30へ送信することができる。例えば、ECU30が車両1のヘッドライトを制御するECUである場合、他のECU30がセンサによって検知した明るさの情報をメッセージとして受信し、受信したメッセージに含まれる明るさの情報に応じてヘッドライトの点灯/消灯を切り替える制御処理を処理部31が行うことができる。なおECU30が受信メッセージに基づいて行う処理はこれに限定されるものではなく、どのような処理であってもよい。 Thereby, the ECU 30 can receive the message transmitted from the other ECU 30 by the communication unit 32 and perform processing based on the received message in the processing unit 31. Moreover, ECU30 can transmit the information produced | generated by the process of the process part 31 from the communication part 32 to other ECU30 as a message. For example, when the ECU 30 is an ECU that controls the headlight of the vehicle 1, the brightness information detected by the other ECU 30 by the sensor is received as a message, and the headlight according to the brightness information included in the received message. The processing unit 31 can perform a control process for switching on / off of. In addition, the process which ECU30 performs based on a received message is not limited to this, What kind of process may be sufficient.
 記憶部33は、例えばSRAM又はDRAM等のデータ書き換えが可能なメモリ素子を用いて構成されている。処理部31は、制御に係る種々のデータを記憶部32に記憶することができる。また本実施の形態に係るECU30は、通信線2に出力されたメッセージが送信完了する前に、監視装置10によるエラーフレームの出力が行われた場合に、このメッセージを受信処理の途中で破棄すると共に、このメッセージに付されていたIDを破棄IDとして記憶部33に記憶する。なお本実施の形態においては、記憶部33に破棄IDとして記憶されるIDは1つである。 The storage unit 33 is configured using a memory element capable of rewriting data, such as SRAM or DRAM. The processing unit 31 can store various data related to control in the storage unit 32. In addition, the ECU 30 according to the present embodiment discards this message in the middle of the reception process when the monitoring apparatus 10 outputs an error frame before the message output to the communication line 2 is completely transmitted. At the same time, the ID attached to this message is stored in the storage unit 33 as a discard ID. In the present embodiment, one ID is stored in the storage unit 33 as the discard ID.
 本実施の形態に係るECU30の処理部31には、ROMなどに記憶された通信処理のためのプログラムを実行することにより、禁止処理部41がソフトウェア的な機能ブロックとして実現される。禁止処理部41は、記憶部33に記憶された破棄IDと同じIDが付されたメッセージを用いた処理を禁止する。これにより処理部31は、記憶部33に記憶された破棄IDと同じIDが付されたメッセージを通信部32にて受信した場合、このメッセージを用いた処理を行わない。これにより、監視装置10が不正と判定して破棄処理が行われたメッセージと同じIDのメッセージに基づく処理が各ECU30にて行われることを防止できる。 In the processing unit 31 of the ECU 30 according to the present embodiment, a prohibition processing unit 41 is realized as a software functional block by executing a program for communication processing stored in a ROM or the like. The prohibition processing unit 41 prohibits processing using a message with the same ID as the discard ID stored in the storage unit 33. Accordingly, when the communication unit 32 receives a message with the same ID as the discard ID stored in the storage unit 33, the processing unit 31 does not perform processing using this message. Accordingly, it is possible to prevent each ECU 30 from performing a process based on a message having the same ID as the message for which the monitoring apparatus 10 determines that the information is invalid and the discard process is performed.
 また禁止処理部41は、記憶部33に記憶された破棄IDと同じIDが付されたメッセージを通信部32にて受信した場合、受信完了を通知するACKの出力と、記憶部33に記憶された破棄IDを消去する処理とを行う。(即ち禁止処理部41は、監視装置10の通知処理部23及び消去処理部24と略同じ処理をも行う。) In addition, when the communication unit 32 receives a message with the same ID as the discard ID stored in the storage unit 33, the prohibition processing unit 41 stores an output of an ACK notifying completion of reception and the storage unit 33. The process of deleting the discarded ID is performed. (That is, the prohibition processing unit 41 also performs substantially the same processing as the notification processing unit 23 and the erasure processing unit 24 of the monitoring device 10).
 図2は、本実施の形態に係る監視装置10が行う監視処理の手順を示すフローチャートである。本実施の形態に係る監視装置10の処理部11は、通信線2に対するECU30のメッセージ送信が行われたか否かを判定する(ステップS1)。メッセージ送信が行われていない場合(S1:NO)、処理部11は、ECU30によるメッセージ送信が行われるまで待機する。ECU30によるメッセージ送信が行われた場合(S1:YES)、処理部11は、通信線2に対してメッセージのIDが出力された段階で、メッセージのIDを取得する(ステップS2)。また処理部11は、記憶部13に破棄IDとして記憶されたIDを取得する(ステップS3)。なおこのときに記憶部13に破棄IDが記憶されていない場合、処理部11は、IDの取得を行わなくてよい。 FIG. 2 is a flowchart showing the procedure of the monitoring process performed by the monitoring apparatus 10 according to the present embodiment. The processing unit 11 of the monitoring apparatus 10 according to the present embodiment determines whether or not the message transmission of the ECU 30 to the communication line 2 has been performed (step S1). When message transmission is not performed (S1: NO), the processing unit 11 stands by until message transmission by the ECU 30 is performed. When the message transmission by the ECU 30 is performed (S1: YES), the processing unit 11 acquires the message ID when the message ID is output to the communication line 2 (step S2). Further, the processing unit 11 acquires the ID stored as the discard ID in the storage unit 13 (step S3). If the discard ID is not stored in the storage unit 13 at this time, the processing unit 11 may not acquire the ID.
 処理部11は、ステップS2にて取得したIDと、ステップS3にて取得したIDとが一致したか否かを判定する(ステップS4)。なおステップS3にて破棄IDを取得できなかった場合、処理部11は、ステップS4にてIDが一致しないと判定すればよい。両IDが一致しない場合(S4:NO)、処理部11の判定処理部21は、通信線2に対してメッセージに含まれる認証情報(MAC)が出力された段階でこの認証情報を取得し、取得した認証情報が正否判定を行い(ステップS5)、通信線2に送信中のメッセージが正規のメッセージであるか否かを判定する(ステップS6)。なお本フローチャートでは、メッセージに認証情報が付されており、この認証情報に基づいてメッセージの正否判定を行う構成としてあるが、これは一例であって、メッセージの正否判定は認証情報を用いる以外の方法で行ってもよい。 The processing unit 11 determines whether or not the ID acquired in step S2 matches the ID acquired in step S3 (step S4). If the discard ID cannot be acquired in step S3, the processing unit 11 may determine that the IDs do not match in step S4. When both IDs do not match (S4: NO), the determination processing unit 21 of the processing unit 11 acquires this authentication information when the authentication information (MAC) included in the message is output to the communication line 2, The acquired authentication information is determined to be correct (step S5), and it is determined whether the message being transmitted to the communication line 2 is a regular message (step S6). In this flowchart, authentication information is attached to the message, and it is configured to determine whether the message is correct based on this authentication information. However, this is merely an example, and the message correctness determination is not limited to using authentication information. You may carry out by the method.
 通信線2に送信中のメッセージが正規のメッセージではないと判定処理部21が判定した場合(S6:NO)、処理部11の破棄処理部22は、このメッセージの送信が完了する前に、通信線2に対してエラーフレームを出力し(ステップS7)、このメッセージをECU30に破棄させる。次いで処理部11は、このメッセージのIDを記憶部13に破棄IDとして記憶し(ステップS8)、処理を終了する。 When the determination processing unit 21 determines that the message being transmitted to the communication line 2 is not a regular message (S6: NO), the discard processing unit 22 of the processing unit 11 performs communication before completing the transmission of this message. An error frame is output to the line 2 (step S7), and the ECU 30 discards this message. Next, the processing unit 11 stores the ID of this message as a discard ID in the storage unit 13 (step S8), and ends the process.
 通信線2に送信中のメッセージが正規のメッセージであると判定処理部21が判定した場合(S6:YES)、処理部11の通知処理部23は、通信線2へACKを出力し(ステップS9)、このメッセージの受信完了を通知する。次いで処理部11は、記憶部13に破棄IDとして記憶されているIDを消去し(ステップS10)、処理を終了する。 When the determination processing unit 21 determines that the message being transmitted to the communication line 2 is a regular message (S6: YES), the notification processing unit 23 of the processing unit 11 outputs an ACK to the communication line 2 (step S9). ), Notify the completion of reception of this message. Next, the processing unit 11 deletes the ID stored as the discard ID in the storage unit 13 (step S10), and ends the process.
 図3及び図4は、本実施の形態に係る各ECU30が行う受信処理の手順を示すフローチャートである。本実施の形態に係るECU30の処理部31は、通信線2に対する他のECU30のメッセージ送信が行われたか否かを判定する(ステップS21)。メッセージ送信が行われていない場合(S21:NO)、処理部31は、他のECU30によるメッセージ送信が行われるまで待機する。他のECU30によるメッセージ送信が行われた場合(S21:YES)、処理部31は、通信線2に対してメッセージのIDが出力された段階で、メッセージのIDを取得する(ステップS22)。また処理部31は、記憶部33に破棄IDとして記憶されたIDを取得する(ステップS23)。なおこのときに記憶部33に破棄IDが記憶されていない場合、処理部31は、IDの取得を行わなくてよい。 3 and 4 are flowcharts showing the procedure of the reception process performed by each ECU 30 according to the present embodiment. The processing unit 31 of the ECU 30 according to the present embodiment determines whether or not a message is transmitted from another ECU 30 to the communication line 2 (step S21). If message transmission is not performed (S21: NO), the processing unit 31 waits until message transmission by another ECU 30 is performed. When the message is transmitted by another ECU 30 (S21: YES), the processing unit 31 acquires the message ID when the message ID is output to the communication line 2 (step S22). Further, the processing unit 31 acquires an ID stored as a discard ID in the storage unit 33 (step S23). If the discard ID is not stored in the storage unit 33 at this time, the processing unit 31 may not acquire the ID.
 処理部31は、ステップS22にて取得したIDと、ステップS23にて取得したIDとが一致したか否かを判定する(ステップS24)。なおステップS23にて破棄IDを取得できなかった場合、処理部31は、ステップS24にてIDが一致しないと判定すればよい。両IDが一致しない場合(S24:NO)、処理部31は、このメッセージの送信完了前にエラーフレームを受信したか否かを判定する(ステップS25)。エラーフレームを受信していない場合(S25:NO)、処理部31は、通信線2に出力されているメッセージの受信を行う(ステップS26)。処理部31は、通信線2へACKを出力し(ステップS27)、このメッセージの受信完了を通知する。その後、処理部31は、受信したメッセージに基づく処理を行って(ステップS28)、処理を終了する。 The processing unit 31 determines whether or not the ID acquired in step S22 matches the ID acquired in step S23 (step S24). If the discard ID cannot be acquired in step S23, the processing unit 31 may determine that the IDs do not match in step S24. If the two IDs do not match (S24: NO), the processing unit 31 determines whether or not an error frame has been received before the completion of transmission of this message (step S25). If no error frame has been received (S25: NO), the processing unit 31 receives a message output to the communication line 2 (step S26). The processing unit 31 outputs ACK to the communication line 2 (step S27) and notifies the completion of reception of this message. Thereafter, the processing unit 31 performs processing based on the received message (step S28) and ends the processing.
 通信線2上のメッセージの送信完了前にエラーフレームを受信した場合(S25:YES)、処理部31は、このメッセージの受信処理を中断し、このメッセージを破棄する(ステップS29)。また処理部31は、このメッセージのIDを記憶部33に破棄IDとして記憶し(ステップS30)、処理を終了する。 If the error frame is received before the transmission of the message on the communication line 2 is completed (S25: YES), the processing unit 31 interrupts the reception process of this message and discards this message (step S29). Further, the processing unit 31 stores the ID of this message as a discard ID in the storage unit 33 (step S30), and ends the process.
 またステップS22にて取得したIDとステップS23にて取得したIDとが一致する場合(S24:YES)、処理部31の禁止処理部41は、受信メッセージに基づく処理を禁止する(ステップS31)。処理部31は、通信線2へACKを出力し(ステップS32)、このメッセージの受信完了を通知する。次いで処理部31は、記憶部33に破棄IDとして記憶されているIDを消去し(ステップS33)、処理を終了する。 If the ID acquired in step S22 matches the ID acquired in step S23 (S24: YES), the prohibition processing unit 41 of the processing unit 31 prohibits processing based on the received message (step S31). The processing unit 31 outputs ACK to the communication line 2 (step S32) and notifies the completion of reception of this message. Next, the processing unit 31 deletes the ID stored as the discard ID in the storage unit 33 (step S33) and ends the process.
 以上の構成の実施の形態1に係る車載通信システムは、共通の通信線2を介して複数のECU30が接続された構成の車載通信システム中に、正規のメッセージであるか否かを判定する判定処理部21、不正なメッセージを送信完了前に破棄させる処理を行う破棄処理部22、破棄されたメッセージのIDを記憶する記憶部13、及び、この記憶部13に記憶されたIDのメッセージを受信した場合に受信完了を示すACKの信号を出力する処理を行う通知処理部23を有する監視装置10を設けた構成である。なお破棄処理部22は、記憶部13に破棄IDとして記憶されたIDが付されたメッセージに対しては、破棄処理を行わない。また各ECU30は、監視装置10により破棄処理がなされたメッセージに付されていたIDを破棄IDとして記憶部33に記憶し、禁止処理部41が記憶部33に記憶されたIDが付されたメッセージに基づく処理を禁止することで、不正メッセージに基づく処理を行わない。 In the in-vehicle communication system according to the first embodiment having the above configuration, the determination is made as to whether or not it is a legitimate message in the in-vehicle communication system in which a plurality of ECUs 30 are connected via the common communication line 2. The processing unit 21, a discard processing unit 22 that performs processing for discarding an unauthorized message before transmission is completed, a storage unit 13 that stores the ID of the discarded message, and a message with an ID stored in the storage unit 13 In this case, the monitoring apparatus 10 including the notification processing unit 23 that performs processing to output an ACK signal indicating completion of reception is provided. Note that the discard processing unit 22 does not perform the discard process on the message with the ID stored as the discard ID in the storage unit 13. Further, each ECU 30 stores the ID attached to the message that has been discarded by the monitoring device 10 as a discard ID in the storage unit 33, and the prohibition processing unit 41 has the message that is assigned the ID stored in the storage unit 33. By prohibiting processing based on, the processing based on illegal messages is not performed.
 即ち本実施の形態に係る車載通信システムでは、不正なメッセージの1回目の送信に対しては監視装置10の破棄処理部22による破棄が行われ、このときに破棄されたメッセージのIDが監視装置10及びECU30のそれぞれにて記憶される。このメッセージの破棄に対して、不正なECUなどが不正メッセージの再送信を行った場合、再送信されたメッセージに付されたIDが監視装置10及びECU30にて記憶されているため、監視装置10の破棄処理部22による破棄は行われず、通知処理部23による受信完了のACK信号出力が行われるが、各ECU30ではこの不正メッセージに基づく処理が禁止されており行われない。不正メッセージに対して受信完了のACK信号の出力が行われることにより、不正メッセージを送信した不正なECUではこのメッセージが他のECU30により受信されたと判断されるため、不正メッセージの再送信は行われなくなる。 That is, in the in-vehicle communication system according to the present embodiment, the discard processing unit 22 of the monitoring device 10 discards the first transmission of an invalid message, and the ID of the discarded message is the monitoring device. 10 and ECU 30 respectively. In response to discarding this message, when an unauthorized ECU or the like retransmits an unauthorized message, the monitoring device 10 and the ECU 30 store the IDs attached to the retransmitted message. The discard processing unit 22 does not perform the discarding and the notification processing unit 23 outputs the reception completion ACK signal. However, each ECU 30 is prohibited from performing the processing based on the unauthorized message. By outputting an ACK signal indicating completion of reception for an illegal message, an unauthorized ECU that has transmitted the unauthorized message determines that this message has been received by another ECU 30, so that the unauthorized message is retransmitted. Disappear.
 また監視装置10の消去処理部24は、通知処理部23による受信完了のACK信号の出力が行われた場合に、記憶部13に破棄IDとして記憶しているIDを消去する。同様に、各ECU30は、記憶部33に破棄IDとして記憶しているIDが付されたメッセージを受信した場合、記憶部33に記憶されたIDを消去する。これにより、不正メッセージと同じIDが付される正規のメッセージに基づく処理が各ECU30にて行われなくなることを防止できる。 Further, the erasure processing unit 24 of the monitoring device 10 erases the ID stored as the discard ID in the storage unit 13 when the reception processing ACK signal is output by the notification processing unit 23. Similarly, each ECU 30 erases the ID stored in the storage unit 33 when receiving a message with the ID stored as the discard ID in the storage unit 33. Thereby, it can prevent that the process based on the regular message to which the same ID as an illegal message is attached | subjected is not performed by each ECU30.
 なお本実施の形態において監視装置10は、判定処理部21、破棄処理部22、通知処理部23及び消去処理部24の各処理を処理部11が行う構成としたが、これに限るものではなく、例えば通信部12が行う構成としてもよい。この場合には、記憶部13は通信部12が直接的にアクセス可能な構成とするか、又は、通信部12内に設けてもよい。同様にECU30は、禁止処理部41の処理を処理部31が行う構成としたが、これに限るものではなく、例えば通信部32が行う構成としてもよい。 In the present embodiment, the monitoring apparatus 10 is configured such that the processing unit 11 performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, and the erasure processing unit 24. However, the present invention is not limited to this. For example, it is good also as a structure which the communication part 12 performs. In this case, the storage unit 13 may be configured to be directly accessible by the communication unit 12 or may be provided in the communication unit 12. Similarly, the ECU 30 has a configuration in which the processing of the prohibition processing unit 41 is performed by the processing unit 31, but is not limited thereto, and may be configured by, for example, the communication unit 32.
 また本実施の形態においては、車両1の車載通信システムに含まれる各ECU30がCANプロトコルに従った通信を行う構成としたが、これに限るものではない。各ECU30が、CAN以外のプロトコル、例えばTCP/IP又はFlexRay等のプロトコルに従った通信を行う構成としてもよい。また車両1に搭載される車載通信システムを例に説明を行ったが、これに限るものではなく、航空機若しくは船舶等の移動体に搭載される車載通信システム、又は、工場若しくはオフィス等に設置される車載通信システム等のように、車載以外の車載通信システムに対して本技術を適用してもよい。また上述の実施の形態においては、判定処理部21、破棄処理部22、通知処理部23及び消去処理部24の各処理を行う監視装置10をECU30とは別に設ける構成としたが、これに限るものではない。例えば以下の変形例1に示すように、判定処理部21、破棄処理部22、通知処理部23及び消去処理部24の各処理を各ECU30が行う構成としてもよい。 In the present embodiment, each ECU 30 included in the in-vehicle communication system of the vehicle 1 performs communication according to the CAN protocol. However, the present invention is not limited to this. Each ECU 30 may be configured to perform communication according to a protocol other than CAN, for example, a protocol such as TCP / IP or FlexRay. In addition, the on-vehicle communication system mounted on the vehicle 1 has been described as an example. However, the present invention is not limited to this, and the on-vehicle communication system mounted on a mobile body such as an aircraft or a ship, or installed in a factory or an office. The present technology may be applied to a vehicle-mounted communication system other than the vehicle-mounted communication system such as a vehicle-mounted communication system. In the above-described embodiment, the monitoring device 10 that performs the processes of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, and the erasing processing unit 24 is provided separately from the ECU 30, but the present invention is not limited thereto. It is not a thing. For example, as shown in Modification 1 below, each ECU 30 may perform the processes of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, and the erasing processing unit 24.
 (変形例1)
 図5は、変形例1に係る車載通信システムの構成を示すブロック図である。変形例1に係る車載通信システムは、通信線2上に送受信されるメッセージを監視する監視装置10を備えず、通信線2に接続される各ECU130がメッセージの監視を行う構成である。各ECU130は、ROMなどに記憶された所定のプログラムを実行することにより、処理部131に判定処理部21、破棄処理部22、通知処理部23、消去処理部24及び禁止処理部41等がソフトウェア的な機能ブロックとして実現される。これらの機能ブロックが行う処理は、上述の実施の形態1に係る監視装置10及びECU30のものと略同じである。 (Modification 1)
FIG. 5 is a block diagram illustrating a configuration of the in-vehicle communication system according to the first modification. The in-vehicle communication system according to Modification 1 does not include the monitoring device 10 that monitors messages transmitted and received on the communication line 2, and each ECU 130 connected to the communication line 2 monitors the message. Each ECU 130 executes a predetermined program stored in a ROM or the like, so that a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, an erasing processing unit 24, a prohibition processing unit 41, etc. Realized as a functional block. The processing performed by these functional blocks is substantially the same as that of the monitoring device 10 and the ECU 30 according to the first embodiment described above.
 即ち、変形例1に係る各ECU130は、通信線2に対して他のECU130が送信したメッセージが正規のメッセージであるか否かを判定処理部21にて判定する。このときに判定処理部21は、例えば自身が送信すべきIDのメッセージが他のECU130により送信された場合にこのメッセージを不正メッセージと判定する構成としてもよく、また例えばメッセージに付された認証情報に基づいて判定を行う構成としてもよく、これら以外の方法で判定を行う構成としてもよい。各ECU130の破棄処理部22は、判定処理部21が不正メッセージと判定した場合に、このメッセージの送信完了前にエラーフレームを通信線2へ出力することで不正メッセージを他のECU130に破棄させる処理を行う。各ECU130の処理部131は、自身の破棄処理部22によりメッセージの破棄を行った場合、及び、他のECU130のエラーフレーム出力によりメッセージの破棄が行われた場合に、このメッセージに付されていたIDを破棄IDとして記憶部33に記憶する。 That is, each ECU 130 according to Modification 1 determines whether or not the message transmitted from the other ECU 130 to the communication line 2 is a regular message. At this time, the determination processing unit 21 may be configured to determine this message as an illegal message when, for example, a message with an ID to be transmitted by the other ECU 130 is transmitted, and for example, authentication information attached to the message It is good also as a structure which determines based on these, and it is good also as a structure which determines with a method other than these. When the determination processing unit 21 determines that the message is an unauthorized message, the discard processing unit 22 of each ECU 130 outputs an error frame to the communication line 2 before the transmission of this message is completed, thereby causing another ECU 130 to discard the unauthorized message. I do. The processing unit 131 of each ECU 130 was attached to this message when the message was discarded by its own discard processing unit 22 and when the message was discarded by the error frame output of another ECU 130. The ID is stored in the storage unit 33 as a discard ID.
 また各ECU130の通知処理部23は、通信線2に送信されたメッセージのIDが記憶部33に記憶された破棄IDと一致する場合、通信線2に対してACK信号を出力することでこのメッセージの送信元に対して受信完了を通知する。ただし各ECU130の禁止処理部41は、記憶部33に記憶された破棄IDと一致するIDが付されたメッセージに基づく処理を行うことを禁止し、これにより各ECU130の処理部131では不正メッセージに基づく処理は行われない。通知処理部23がACK信号を出力した場合、各ECU130の消去処理部24は、記憶部33に破棄IDとして記憶されたIDを消去する。 Further, the notification processing unit 23 of each ECU 130 outputs an ACK signal to the communication line 2 when the ID of the message transmitted to the communication line 2 matches the discard ID stored in the storage unit 33. Notify the sender of the reception completion. However, the prohibition processing unit 41 of each ECU 130 prohibits the processing based on the message with the ID that matches the discard ID stored in the storage unit 33, thereby causing the processing unit 131 of each ECU 130 to process the illegal message. No processing based on it is performed. When the notification processing unit 23 outputs an ACK signal, the deletion processing unit 24 of each ECU 130 deletes the ID stored in the storage unit 33 as the discard ID.
 このように変形例1に係る車載通信システムでは、判定処理部21、破棄処理部22、通知処理部23、消去処理部24及び禁止処理部41を各ECU130が有する構成とすることにより、不正なECUが不正メッセージの再送信を繰り返すことを防止することができる。 As described above, in the in-vehicle communication system according to the first modified example, each ECU 130 includes the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the prohibition processing unit 41. It is possible to prevent the ECU from repeating retransmission of the unauthorized message.
 (変形例2)
 図6は、変形例2に係る車載通信システムの構成を示すブロック図である。変形例2に係る車載通信システムは、それぞれに複数のECU30が接続された通信線2及び通信線3がゲートウェイ210に接続され、ゲートウェイ210が通信線2,3間のメッセージを中継する構成である。この構成の場合、ゲートウェイ210に上述の実施の形態1に係る監視装置10と同様の監視機能を設けることができる。 (Modification 2)
FIG. 6 is a block diagram illustrating a configuration of the in-vehicle communication system according to the second modification. The in-vehicle communication system according to the modified example 2 has a configuration in which the communication line 2 and the communication line 3 to which a plurality of ECUs 30 are connected are connected to the gateway 210 and the gateway 210 relays a message between the communication lines 2 and 3. . In the case of this configuration, the gateway 210 can be provided with a monitoring function similar to that of the monitoring device 10 according to the first embodiment.
 変形例2に係るゲートウェイ210は、処理部211、通信部12a,12b及び記憶部13を備えて構成されている。2つの通信部12a,12bは、それぞれ通信線2,3が接続され、接続された通信線2,3を介してECU30との間でメッセージの送受信を行う。処理部211は、通信部12a,12bの一方にて受信したメッセージを他方から送信することにより、通信線2,3間でメッセージを中継する処理を行う。更に処理部211は、ROMなどに記憶された所定意のプログラムを実行することにより、判定処理部21、破棄処理部22、通知処理部23及び消去処理部24等がソフトウェア的な機能ブロックとして実現される。これらの機能ブロックが行う処理は、上述の実施の形態1に係る監視装置10のものと略同じであるが、2つの通信線2,3に対して個別にメッセージの監視処理を行う。 The gateway 210 according to Modification 2 includes a processing unit 211, communication units 12a and 12b, and a storage unit 13. The two communication units 12 a and 12 b are connected to the communication lines 2 and 3, respectively, and send and receive messages to and from the ECU 30 via the connected communication lines 2 and 3. The processing unit 211 performs processing for relaying a message between the communication lines 2 and 3 by transmitting a message received by one of the communication units 12a and 12b from the other. Further, the processing unit 211 executes a predetermined program stored in a ROM or the like, so that the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the like are realized as software functional blocks. Is done. The processing performed by these functional blocks is substantially the same as that of the monitoring device 10 according to the first embodiment described above, but the message monitoring processing is individually performed for the two communication lines 2 and 3.
 このように変形例2に係る車載通信システムでは、複数の通信線2,3が接続されるゲートウェイ210にメッセージ監視機能を設ける。これによりゲートウェイ210にてメッセージ監視を集中的に行うことができ、各通信線2,3にそれぞれ監視装置10を設ける構成と比較して、車載通信システムを小規模化及び低コスト化することができる。 As described above, in the in-vehicle communication system according to the second modification, the message monitoring function is provided in the gateway 210 to which the plurality of communication lines 2 and 3 are connected. As a result, message monitoring can be performed centrally at the gateway 210, and the in-vehicle communication system can be reduced in size and cost compared to the configuration in which the monitoring devices 10 are provided on the communication lines 2 and 3, respectively. it can.
(実施の形態2)
 図7は、実施の形態2に係る車載通信システムの構成を示すブロック図である。実施の形態2に係る車載通信システムは、実施の形態1に係る車載通信システムと同様に、車両1に搭載された複数のECU330が共通の通信線2を介して接続された構成であり、通信線2を介したECU330のメッセージの送受信を監視する監視装置310を備えている。 (Embodiment 2)
FIG. 7 is a block diagram illustrating a configuration of the in-vehicle communication system according to the second embodiment. Similarly to the in-vehicle communication system according to the first embodiment, the in-vehicle communication system according to the second embodiment has a configuration in which a plurality of ECUs 330 mounted on the vehicle 1 are connected via a common communication line 2. A monitoring device 310 that monitors transmission / reception of messages of the ECU 330 via the line 2 is provided.
 監視装置310は、処理部311、通信部12、記憶部13及びカウンタ314等を備えて構成されている。処理部311は、CPU又はMPU等の演算処理装置を用いて構成され、図示しないROMなどに記憶されたプログラムを実行することにより、メッセージの監視に係る種々の処理を行う。カウンタ314は、数値を記憶する回路であり、処理部311から与えられる加算命令に応じて記憶している数値を増加(カウントアップ)し、初期化命令に応じて記憶している数値を0に初期化する。実施の形態2においてカウンタ314は、メッセージが不正であると判定されて破棄された回数をカウントする。 The monitoring device 310 includes a processing unit 311, a communication unit 12, a storage unit 13, a counter 314, and the like. The processing unit 311 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to message monitoring by executing a program stored in a ROM (not shown) or the like. The counter 314 is a circuit that stores a numerical value, and increments (counts up) the stored numerical value in response to the addition instruction given from the processing unit 311 and sets the stored numerical value to 0 in response to the initialization instruction. initialize. In the second embodiment, the counter 314 counts the number of times that a message is determined to be invalid and discarded.
 実施の形態2に係る監視装置310の処理部311には、ROMなどに記憶された監視処理のためのプログラムを実行することにより、判定処理部21、破棄処理部22、通知処理部23、消去処理部24及び初期化処理部325等がソフトウェア的な機能ブロックとして実現される。判定処理部21は、通信線2上にECU330が送信したメッセージが正規のメッセージであるか否かを判定する。破棄処理部22は、判定処理部21が正規のメッセージではないと判定した場合に、このメッセージの送信完了前にエラーフレームを通信線2へ出力することにより、ECU330に不正メッセージを破棄させる処理を行う。破棄処理部22が破棄処理を行った場合、処理部311は、この不正メッセージに付されていたIDを記憶部13に破棄IDとして記憶しておくと共に、カウンタ314をカウントアップする。 In the processing unit 311 of the monitoring apparatus 310 according to the second embodiment, a determination processing unit 21, a discard processing unit 22, a notification processing unit 23, and an erasure are performed by executing a program for monitoring processing stored in a ROM or the like. The processing unit 24, the initialization processing unit 325, and the like are realized as software functional blocks. The determination processing unit 21 determines whether or not the message transmitted by the ECU 330 on the communication line 2 is a regular message. When the determination processing unit 21 determines that the message is not a legitimate message, the discard processing unit 22 outputs an error frame to the communication line 2 before completing the transmission of the message, thereby causing the ECU 330 to discard the invalid message. Do. When the discard processing unit 22 performs the discard process, the processing unit 311 stores the ID attached to the unauthorized message as a discard ID in the storage unit 13 and counts up the counter 314.
 その後、処理部311は、通信線2にメッセージが送信された場合、このメッセージのIDが記憶部13に記憶した破棄IDと一致するか否かを判定する。両IDが一致しない場合、不正メッセージの再送信が行われていないと判断し、処理部311の初期化処理部325がカウンタ314を初期化すると共に、消去処理部24が記憶部13に記憶した破棄IDを消去する。両IDが一致する場合、処理部311は、カウンタ314が記憶している数値が所定数を超えたか否かを判定する。カウンタ314の数値が所定数を超えない場合、上述と同様に、判定処理部21による正規メッセージであるか否かの判定、及び、破棄処理部22による不正メッセージの破棄処理を行う。 Thereafter, when a message is transmitted to the communication line 2, the processing unit 311 determines whether or not the ID of this message matches the discard ID stored in the storage unit 13. If the two IDs do not match, it is determined that the invalid message has not been retransmitted, the initialization processing unit 325 of the processing unit 311 initializes the counter 314, and the deletion processing unit 24 stores it in the storage unit 13. Delete the discard ID. When both IDs match, the processing unit 311 determines whether or not the numerical value stored in the counter 314 exceeds a predetermined number. When the numerical value of the counter 314 does not exceed the predetermined number, similarly to the above, the determination processing unit 21 determines whether the message is a regular message, and the discard processing unit 22 discards the invalid message.
 カウンタ314の数値が所定数を超える場合、通知処理部23は、メッセージが正規のものであるか否かに関わらず、このメッセージの送信に対して通信部12にて通信線2へACKを出力することにより、メッセージの送信元へ受信完了を通知する。消去処理部24は、通知処理部23によるACKの出力が行われた場合、記憶部13に破棄IDとして記憶されたIDを、記憶部13から消去する処理を行う。同様に、この場合に初期化処理部325は、カウンタ314を初期化する処理を行う。 When the value of the counter 314 exceeds a predetermined number, the notification processing unit 23 outputs an ACK to the communication line 2 at the communication unit 12 in response to the transmission of this message regardless of whether the message is genuine or not. As a result, the message transmission source is notified of the reception completion. When the notification processing unit 23 outputs an ACK, the erasure processing unit 24 performs a process of erasing the ID stored as the discard ID in the storage unit 13 from the storage unit 13. Similarly, in this case, the initialization processing unit 325 performs processing for initializing the counter 314.
 実施の形態2に係る車載通信システムに含まれる各ECU330は、処理部331、通信部32、記憶部33及びカウンタ334等を備えて構成されている。処理部331は、CPU又はMPU等の演算処理装置を用いて構成され、車両1の制御に係る種々の処理を行う。実施の形態2に係るECU330の処理部331には、ROMなどに記憶された通信処理のためのプログラムを実行することにより、禁止処理部41がソフトウェア的な機能ブロックとして実現される。カウンタ334は、数値を記憶する回路であり、処理部331から与えられる加算命令に応じて記憶している数値をカウントアップし、初期化命令に応じて記憶している数値を0に初期化する。 Each ECU 330 included in the in-vehicle communication system according to Embodiment 2 includes a processing unit 331, a communication unit 32, a storage unit 33, a counter 334, and the like. The processing unit 331 is configured using an arithmetic processing device such as a CPU or MPU, and performs various processes related to the control of the vehicle 1. In the processing unit 331 of the ECU 330 according to the second embodiment, a prohibition processing unit 41 is realized as a software functional block by executing a program for communication processing stored in a ROM or the like. The counter 334 is a circuit that stores a numerical value, counts up the stored numerical value in response to the addition command given from the processing unit 331, and initializes the stored numerical value to 0 in response to the initialization command. .
 実施の形態2に係る各ECU330の処理部331は、通信線2に送信されたメッセージが監視装置310のエラーフレームにより破棄された場合、このメッセージに付されていたIDを記憶部33に記憶する。禁止処理部41は、記憶部33に記憶された破棄IDと同じIDが付されたメッセージを用いた処理を禁止する。その後、処理部331は、通信線2にメッセージが送信された場合、このメッセージのIDが記憶部33に記憶した破棄IDと一致するか否かを判定する。両IDが一致しない場合、不正メッセージの再送信が行われていないと判断し、処理部331はカウンタ334を初期化すると共に、記憶部33に記憶した破棄IDを消去する。両IDが一致する場合、処理部331は、カウンタ334が記憶している数値が所定数を超えたか否かを判定する。なおECU330がカウンタ334との比較を行う所定数は、監視装置310がカウンタ314との比較を行う所定数と同じ値である。カウンタ334の数値が所定数を超えない場合、処理部331は、通常のメッセージの受信処理を行う(ただし、このメッセージは監視装置310により破棄される可能性はある)。 When the message transmitted to the communication line 2 is discarded due to the error frame of the monitoring device 310, the processing unit 331 of each ECU 330 according to the second embodiment stores the ID attached to this message in the storage unit 33. . The prohibition processing unit 41 prohibits processing using a message with the same ID as the discard ID stored in the storage unit 33. Thereafter, when a message is transmitted to the communication line 2, the processing unit 331 determines whether the ID of this message matches the discard ID stored in the storage unit 33. If the two IDs do not match, it is determined that the invalid message has not been retransmitted, and the processing unit 331 initializes the counter 334 and erases the discard ID stored in the storage unit 33. When both IDs match, the processing unit 331 determines whether or not the numerical value stored in the counter 334 exceeds a predetermined number. Note that the predetermined number that the ECU 330 compares with the counter 334 is the same value as the predetermined number that the monitoring device 310 compares with the counter 314. If the value of the counter 334 does not exceed the predetermined number, the processing unit 331 performs a normal message reception process (however, this message may be discarded by the monitoring device 310).
 カウンタ334の数値が所定数を超える場合、処理部331は、このメッセージの送信に対して通信部32にて通信線2へACKを出力することにより、メッセージの送信元へ受信完了を通知する。このときに処理部331は、記憶部33に破棄IDとして記憶されたIDを消去すると共に、カウンタ334を初期化する処理を行う。 When the numerical value of the counter 334 exceeds a predetermined number, the processing unit 331 notifies the transmission source of the message of reception completion by outputting an ACK to the communication line 2 in the communication unit 32 in response to the transmission of this message. At this time, the processing unit 331 performs processing for deleting the ID stored as the discard ID in the storage unit 33 and initializing the counter 334.
 図8は、実施の形態2に係る監視装置310が行う監視処理の手順を示すフローチャートである。実施の形態2に係る監視装置310の処理部311は、通信線2に対するECU330のメッセージ送信が行われたか否かを判定する(ステップS51)。メッセージ送信が行われていない場合(S51:NO)、処理部311は、ECU330によるメッセージ送信が行われるまで待機する。ECU330によるメッセージ送信が行われた場合(S51:YES)、処理部311は、通信線2に対してメッセージのIDが出力された段階で、メッセージのIDを取得する(ステップS52)。また処理部311は、記憶部13に破棄IDとして記憶されたIDを取得する(ステップS53)。なおこのときに記憶部13に破棄IDが記憶されていない場合、処理部11は、IDの取得を行わなくてよい。 FIG. 8 is a flowchart showing the procedure of the monitoring process performed by the monitoring apparatus 310 according to the second embodiment. The processing unit 311 of the monitoring device 310 according to the second embodiment determines whether or not the message transmission of the ECU 330 to the communication line 2 has been performed (step S51). When message transmission is not performed (S51: NO), the process part 311 waits until message transmission by ECU330 is performed. When the message transmission is performed by the ECU 330 (S51: YES), the processing unit 311 acquires the message ID when the message ID is output to the communication line 2 (step S52). Further, the processing unit 311 acquires the ID stored as the discard ID in the storage unit 13 (step S53). If the discard ID is not stored in the storage unit 13 at this time, the processing unit 11 may not acquire the ID.
 処理部311は、ステップS52にて取得したIDと、ステップS53にて取得したIDとが一致したか否かを判定する(ステップS54)。なおステップS53にて破棄IDを取得できなかった場合、処理部311は、ステップS54にてIDが一致しないと判定すればよい。両IDが一致しない場合(S54:NO)、処理部311の初期化処理部325は、カウンタ314を初期化する(ステップS55)。また処理部311の消去処理部24は、記憶部33に破棄IDとして記憶されたIDを消去し(ステップS56)、ステップS58へ処理を進める。 The processing unit 311 determines whether or not the ID acquired in step S52 matches the ID acquired in step S53 (step S54). If the discard ID cannot be acquired in step S53, the processing unit 311 may determine that the IDs do not match in step S54. If the two IDs do not match (S54: NO), the initialization processing unit 325 of the processing unit 311 initializes the counter 314 (step S55). In addition, the erasure processing unit 24 of the processing unit 311 erases the ID stored as the discard ID in the storage unit 33 (step S56), and the process proceeds to step S58.
 両IDが一致する場合(S54:YES)、処理部311は、カウンタ314が記憶している数値が所定数を超えるか否かを判定する(ステップS57)。カウンタ314の数値が所定数を超えない場合(S57:NO)、又は、ステップS56にて記憶部33からIDを消去した後、処理部311の判定処理部21は、通信線2に対してメッセージに含まれる認証情報が出力された段階でこの認証情報を取得し、取得した認証情報が正否判定を行い(ステップS58)、通信線2に送信中のメッセージが正規のメッセージであるか否かを判定する(ステップS59)。 If both IDs match (S54: YES), the processing unit 311 determines whether or not the numerical value stored in the counter 314 exceeds a predetermined number (step S57). When the numerical value of the counter 314 does not exceed the predetermined number (S57: NO), or after erasing the ID from the storage unit 33 in step S56, the determination processing unit 21 of the processing unit 311 sends a message to the communication line 2. This authentication information is acquired at the stage when the authentication information included in the message is output, the acquired authentication information is determined to be correct (step S58), and whether or not the message being transmitted to the communication line 2 is a legitimate message is determined. Determination is made (step S59).
 通信線2に送信中のメッセージが正規のメッセージではないと判定処理部21が判定した場合(S59:NO)、処理部311の破棄処理部22は、このメッセージの送信が完了する前に、通信線2に対してエラーフレームを出力し(ステップS60)、このメッセージをECU330に破棄させる。処理部311は、このメッセージのIDを記憶部13に破棄IDとして記憶する(ステップS61)。また処理部311は、カウンタ314の値に1を加算し(ステップS62)、処理を終了する。 When the determination processing unit 21 determines that the message being transmitted to the communication line 2 is not a regular message (S59: NO), the discard processing unit 22 of the processing unit 311 performs communication before the transmission of this message is completed. An error frame is output to the line 2 (step S60), and this message is discarded by the ECU 330. The processing unit 311 stores the ID of this message in the storage unit 13 as a discard ID (step S61). In addition, the processing unit 311 adds 1 to the value of the counter 314 (step S62), and ends the processing.
 カウンタ314の数値が所定数を超える場合(S57:YES)、又は、通信線2に送信中のメッセージが正規のメッセージであると判定処理部21が判定した場合(S59:YES)、処理部311の通知処理部23は、通信線2へACKを出力し(ステップS63)、このメッセージの受信完了を通知する。処理部311は、記憶部13に破棄IDとして記憶されているIDを消去する(ステップS64)。また処理部311は、カウンタ314を初期化して(ステップS65)、処理を終了する。 When the value of the counter 314 exceeds a predetermined number (S57: YES), or when the determination processing unit 21 determines that the message being transmitted to the communication line 2 is a regular message (S59: YES), the processing unit 311. The notification processing unit 23 outputs ACK to the communication line 2 (step S63) and notifies the completion of reception of this message. The processing unit 311 deletes the ID stored as the discard ID in the storage unit 13 (step S64). Further, the processing unit 311 initializes the counter 314 (step S65) and ends the process.
 図9及び図10は、実施の形態2に係る各ECU330が行う受信処理の手順を示すフローチャートである。実施の形態2に係るECU330の処理部331は、通信線2に対する他のECU330のメッセージ送信が行われたか否かを判定する(ステップS71)。メッセージ送信が行われていない場合(S71:NO)、処理部331は、他のECU330によるメッセージ送信が行われるまで待機する。他のECU330によるメッセージ送信が行われた場合(S71:YES)、処理部331は、通信線2に対してメッセージのIDが出力された段階で、メッセージのIDを取得する(ステップS72)。また処理部331は、記憶部33に破棄IDとして記憶されたIDを取得する(ステップS73)。なおこのときに記憶部33に破棄IDが記憶されていない場合、処理部331は、IDの取得を行わなくてよい。 FIGS. 9 and 10 are flowcharts showing the procedure of the reception process performed by each ECU 330 according to the second embodiment. The processing unit 331 of the ECU 330 according to the second embodiment determines whether or not a message is transmitted from another ECU 330 to the communication line 2 (step S71). When message transmission is not performed (S71: NO), processing part 331 stands by until message transmission by other ECU330 is performed. When the message is transmitted by the other ECU 330 (S71: YES), the processing unit 331 acquires the message ID when the message ID is output to the communication line 2 (step S72). In addition, the processing unit 331 acquires an ID stored as a discard ID in the storage unit 33 (step S73). If the discard ID is not stored in the storage unit 33 at this time, the processing unit 331 may not acquire the ID.
 処理部331は、ステップS72にて取得したIDと、ステップS73にて取得したIDとが一致したか否かを判定する(ステップS74)。なおステップS73にて破棄IDを取得できなかった場合、処理部331は、ステップS74にてIDが一致しないと判定すればよい。両IDが一致しない場合(S74:NO)、処理部331は、このメッセージの送信完了前にエラーフレームを受信したか否かを判定する(ステップS75)。エラーフレームを受信していない場合(S75:NO)、処理部331は、通信線2に出力されているメッセージの受信を行う(ステップS76)。処理部331は、通信線2へACKを出力し(ステップS77)、このメッセージの受信完了を通知する。処理部331は、受信したメッセージに基づく処理を行う(ステップS78)。また処理部331は、カウンタ334を初期化すると共に(ステップS79)、記憶部33に破棄IDとして記憶されたIDを消去して(ステップS80)、処理を終了する。 The processing unit 331 determines whether the ID acquired in Step S72 matches the ID acquired in Step S73 (Step S74). If the discard ID cannot be acquired in step S73, the processing unit 331 may determine that the IDs do not match in step S74. If the two IDs do not match (S74: NO), the processing unit 331 determines whether or not an error frame has been received before the completion of transmission of this message (step S75). When no error frame has been received (S75: NO), the processing unit 331 receives a message output to the communication line 2 (step S76). The processing unit 331 outputs ACK to the communication line 2 (step S77) and notifies the completion of reception of this message. The processing unit 331 performs processing based on the received message (step S78). The processing unit 331 initializes the counter 334 (step S79), deletes the ID stored as the discard ID in the storage unit 33 (step S80), and ends the process.
 通信線2上のメッセージの送信完了前にエラーフレームをした場合(S75:YES)、処理部331は、このメッセージの受信処理を中断し、このメッセージを破棄する(ステップS81)。また処理部331は、このメッセージのIDを記憶部33に破棄IDとして記憶すると共に(ステップS82)、カウンタ334の値に1を加算して(ステップS83)、処理を終了する。 If an error frame is generated before the transmission of the message on the communication line 2 is completed (S75: YES), the processing unit 331 interrupts this message reception process and discards this message (step S81). The processing unit 331 stores the ID of this message as a discard ID in the storage unit 33 (step S82), adds 1 to the value of the counter 334 (step S83), and ends the process.
 またステップS72にて取得したIDとステップS73にて取得したIDとが一致する場合(S74:YES)、処理部331は、カウンタ334が記憶している数値が所定数を超えるか否かを判定する(ステップS84)。カウンタ334の数値が所定数を超えない場合(S84:NO)、処理部331は、ステップS75へ処理を進める。カウンタ334の数値が所定数を超える場合(S84:YES)、処理部331の禁止処理部41は、受信メッセージに基づく処理を禁止する(ステップS85)。処理部331は、通信線2へACKを出力し(ステップS86)、このメッセージの受信完了を通知する。次いで処理部331は、記憶部33に破棄IDとして記憶されているIDを消去すると共に(ステップS87)、カウンタ334を初期化して(ステップS88)、処理を終了する。 When the ID acquired in step S72 matches the ID acquired in step S73 (S74: YES), the processing unit 331 determines whether or not the numerical value stored in the counter 334 exceeds a predetermined number. (Step S84). When the numerical value of the counter 334 does not exceed the predetermined number (S84: NO), the processing unit 331 advances the process to step S75. When the numerical value of the counter 334 exceeds the predetermined number (S84: YES), the prohibition processing unit 41 of the processing unit 331 prohibits processing based on the received message (step S85). The processing unit 331 outputs ACK to the communication line 2 (step S86) and notifies the completion of reception of this message. Next, the processing unit 331 deletes the ID stored as the discard ID in the storage unit 33 (step S87), initializes the counter 334 (step S88), and ends the process.
 以上の構成の実施の形態2に係る車載通信システムは、共通の通信線2を介して複数のECU330が接続されたシステム中に、正規のメッセージであるか否かを判定する判定処理部21、正規でないメッセージを送信完了前に破棄させる破棄処理部22、メッセージが破棄された回数をカウントするカウンタ314、及び、カウンタが記憶する数値が所定数を超える場合にACK信号を出力する通知処理部23を有する監視装置310を設けた構成である。破棄処理部22は、カウンタ314の数値が所定数を超える場合、メッセージを破棄させる処理を行わない。また各ECU330は、監視装置310によりメッセージの破棄がなされた回数をカウントするカウンタ334を有し、カウンタ334の数値が所定数を超える場合、受信メッセージに基づく処理は禁止されて行われない。 In the in-vehicle communication system according to the second embodiment having the above-described configuration, the determination processing unit 21 that determines whether or not the message is a regular message in a system in which a plurality of ECUs 330 are connected via the common communication line 2; A discard processing unit 22 that discards an unauthorized message before completion of transmission, a counter 314 that counts the number of times the message is discarded, and a notification processing unit 23 that outputs an ACK signal when the numerical value stored in the counter exceeds a predetermined number It is the structure which provided the monitoring apparatus 310 which has. The discard processing unit 22 does not perform processing for discarding a message when the value of the counter 314 exceeds a predetermined number. Each ECU 330 has a counter 334 that counts the number of times the message is discarded by the monitoring device 310. If the value of the counter 334 exceeds a predetermined number, processing based on the received message is prohibited and not performed.
 即ち、実施の形態2に係る車載通信システムでは、不正メッセージの所定回数以下の送信に対しては破棄処理部22による破棄が行われ、このときにメッセージを破棄した回数がカウンタ314及びカウンタ334によりカウントされる。破棄処理部22による破棄に対して、例えば不正なECUが不正メッセージの再送信を繰り返し行って、破棄の回数が所定数を超えた場合、監視装置310の通知処理部23によるACK信号の出力が行われるが、各ECU330はこの不正メッセージに基づく処理が禁止されており行われない。受信完了を示すACK信号の出力が行われることにより、不正メッセージを送信した不正なECUでは、不正メッセージがECU330により受信されたと判断されるため、不正メッセージの再送信が行われなくなる。 In other words, in the in-vehicle communication system according to the second embodiment, the discard processing unit 22 discards an unauthorized message less than a predetermined number of times, and the counter 314 and the counter 334 determine the number of times the message is discarded. Be counted. In response to the discard by the discard processing unit 22, for example, when an unauthorized ECU repeatedly transmits an invalid message and the number of discards exceeds a predetermined number, the notification processing unit 23 of the monitoring device 310 outputs an ACK signal. Although performed, each ECU 330 is prohibited from performing processing based on the unauthorized message. By outputting the ACK signal indicating the completion of reception, the unauthorized ECU that has transmitted the unauthorized message determines that the unauthorized message has been received by the ECU 330, so that the unauthorized message is not retransmitted.
 また監視装置310は、破棄処理部22により破棄されたメッセージに付されたIDを記憶する記憶部13を備え、記憶部13に記憶されたIDとは異なるIDが付されたメッセージが通信線2に送信された場合にはカウンタ314を初期化する。同様に各ECU330は、監視装置310により破棄の処理がなされたメッセージに付されたIDを記憶する記憶部33を備え、記憶部33に記憶されたIDとは異なるIDが付されたメッセージが送信された場合にカウンタ334を初期化する。これにより同一のIDが連続的に送信されている場合にのみカウンタ314,334によるカウントを行うことができる。 The monitoring device 310 also includes a storage unit 13 that stores an ID attached to a message discarded by the discard processing unit 22, and a message with an ID different from the ID stored in the storage unit 13 is transmitted to the communication line 2. The counter 314 is initialized. Similarly, each ECU 330 includes a storage unit 33 that stores an ID attached to a message that has been discarded by the monitoring device 310, and a message with an ID different from the ID stored in the storage unit 33 is transmitted. If so, the counter 334 is initialized. As a result, counting by the counters 314 and 334 can be performed only when the same ID is continuously transmitted.
 またカウンタ314,334は、監視装置310の通知処理部23によるACK信号の出力が行われた場合に、初期化される。これにより正規のメッセージに基づく処理が各ECU330にて禁止され続けることを防止できる。 The counters 314 and 334 are initialized when the ACK signal is output by the notification processing unit 23 of the monitoring device 310. Thereby, it is possible to prevent the processing based on the regular message from being continuously prohibited by each ECU 330.
 なお実施の形態2においては、判定処理部21、破棄処理部22、通知処理部23、消去処理部24及び初期化処理部325の各処理を行う監視装置310をECU330とは別に設ける構成としたが、これに限るものではない。例えば実施の形態1の変形例1に示した構成と同様に、判定処理部21、破棄処理部22、通知処理部23、消去処理部24及び初期化処理部325の各処理を各ECU330が行う構成としてもよい。 In the second embodiment, the monitoring apparatus 310 that performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the deletion processing unit 24, and the initialization processing unit 325 is provided separately from the ECU 330. However, it is not limited to this. For example, each ECU 330 performs each process of the determination processing unit 21, the discard processing unit 22, the notification processing unit 23, the erasing processing unit 24, and the initialization processing unit 325, similarly to the configuration shown in the first modification of the first embodiment. It is good also as a structure.
 また、実施の形態2に係る車載通信システムのその他の構成は、実施の形態1に係る車載通信システムと同様であるため、同様の箇所には同じ符号を付し、詳細な説明を省略する。 In addition, since the other configuration of the in-vehicle communication system according to the second embodiment is the same as that of the in-vehicle communication system according to the first embodiment, the same parts are denoted by the same reference numerals and detailed description thereof is omitted.
 1 車両
 2,3 通信線
 10 監視装置
 11 処理部
 12,12a,12b 通信部
 13 記憶部
 21 判定処理部(判定部)
 22 破棄処理部(破棄部)
 23 通知処理部(受信完了通知部)
 24 消去処理部(記憶消去部)
 30 ECU(通信装置)
 31 処理部
 32 通信部
 33 記憶部
 41 禁止処理部(禁止部)
 130 ECU(通信装置)
 131 処理部
 210 ゲートウェイ
 211 処理部
 310 監視装置
 311 処理部
 314 カウンタ
 325 初期化処理部(初期化部)
 330 ECU(通信装置)
 331 処理部
 334 カウンタ DESCRIPTION OF SYMBOLS 1 Vehicle 2, 3 Communication line 10 Monitoring apparatus 11 Processing part 12, 12a, 12b Communication part 13 Storage part 21 Determination processing part (determination part)
22 Discard processing part (discard part)
23 Notification Processing Unit (Reception Complete Notification Unit)
24 Deletion processing part (memory erasure part)
30 ECU (communication device)
31 Processing Unit 32 Communication Unit 33 Storage Unit 41 Prohibited Processing Unit (Prohibited Unit)
130 ECU (communication device)
131 Processing Unit 210 Gateway 211 Processing Unit 310 Monitoring Device 311 Processing Unit 314 Counter 325 Initialization Processing Unit (Initialization Unit)
330 ECU (communication device)
331 processing unit 334 counter

Claims (10)

  1.  車両に搭載された複数の通信装置が共通の通信線を介して接続された車載通信システムにおいて、
     前記通信線上に送信されたメッセージが正規のメッセージであるか否かを判定する判定部と、
     前記判定部が正規のメッセージでないと判定したメッセージを、該メッセージの送信完了前に破棄させる処理を行う破棄部と、
     前記破棄部により破棄されたメッセージの識別情報を記憶する記憶部と、
     前記記憶部に記憶された識別情報が付されたメッセージを受信した場合に、前記判定部の判定結果に関わらず、当該メッセージの受信を完了したことを示す信号を前記通信線へ出力する受信完了通知部と
     を備え、
     各通信装置は、前記記憶部に記憶された識別情報が付されたメッセージに基づく処理を禁止する禁止部を有し、
     前記破棄部は、前記記憶部に記憶された識別情報が付されたメッセージに対しては破棄させる処理を行わないこと
     を特徴とする車載通信システム。     In an in-vehicle communication system in which a plurality of communication devices mounted on a vehicle are connected via a common communication line,
    A determination unit that determines whether or not a message transmitted on the communication line is a regular message;
    A discarding unit that performs processing for discarding a message that the determination unit determines that the message is not a regular message before transmission of the message is completed;
    A storage unit for storing identification information of a message discarded by the discard unit;
    When a message with identification information stored in the storage unit is received, a signal indicating that reception of the message is completed is output to the communication line regardless of the determination result of the determination unit. With a notification unit,
    Each communication device has a prohibition unit that prohibits processing based on a message with identification information stored in the storage unit,
    The in-vehicle communication system, wherein the discard unit does not perform a process of discarding a message attached with identification information stored in the storage unit.
  2.  前記受信完了通知部による前記信号が出力された場合に、前記記憶部に記憶された識別情報を消去する記憶消去部を備えること
     を特徴とする請求項1に記載の車載通信システム。     The in-vehicle communication system according to claim 1, further comprising a storage erasure unit that erases the identification information stored in the storage unit when the signal is output from the reception completion notification unit.
  3.  前記通信線に接続され、前記判定部、前記破棄部及び前記記憶部を有し、前記通信線上に送信されたメッセージの監視を行う監視装置を備え、
     各通信装置は、前記記憶部を有し、
     前記監視装置及び前記複数の通信装置のうちの少なくとも1つの装置は、前記受信完了通知部を有すること
     を特徴とする請求項1又は請求項2に記載の車載通信システム。     A monitoring device connected to the communication line, having the determination unit, the discarding unit, and the storage unit, and monitoring a message transmitted on the communication line;
    Each communication device has the storage unit,
    The in-vehicle communication system according to claim 1 or 2, wherein at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
  4.  各通信装置は、前記判定部、前記破棄部及び前記記憶部を有し、
     前記複数の通信装置のうちの少なくとも1つの通信装置は、前記受信完了通知部を有すること
     を特徴とする請求項1又は請求項2に記載の車載通信システム。     Each communication device includes the determination unit, the discard unit, and the storage unit,
    The in-vehicle communication system according to claim 1, wherein at least one communication device of the plurality of communication devices includes the reception completion notification unit.
  5.  車両に搭載された複数の通信装置が共通の通信線を介して接続された車載通信システムにおいて、
     前記通信線上に送信されたメッセージが正規のメッセージであるか否かを判定する判定部と、
     前記判定部が正規のメッセージでないと判定したメッセージを、該メッセージの送信完了前に破棄させる処理を行う破棄部と、
     前記破棄部によりメッセージが破棄された回数をカウントするカウンタと、
     前記カウンタがカウントした回数が所定回数を超える場合に、前記判定部の判定結果に関わらず、当該メッセージの受信を完了したことを示す信号を前記通信線へ出力する受信完了通知部と
     を備え、
     各通信装置は、前記カウンタがカウントした回数が所定回数を超える場合、受信したメッセージに基づく処理を禁止する禁止部を有し、
     前記破棄部は、前記カウンタがカウントした回数が所定回数を超える場合にメッセージを破棄させる処理を行わないこと
     を特徴とする車載通信システム。     In an in-vehicle communication system in which a plurality of communication devices mounted on a vehicle are connected via a common communication line,
    A determination unit that determines whether or not a message transmitted on the communication line is a regular message;
    A discarding unit that performs processing for discarding a message that the determination unit determines that the message is not a regular message before transmission of the message is completed;
    A counter that counts the number of times the message is discarded by the discard unit;
    A reception completion notification unit that outputs a signal indicating completion of reception of the message to the communication line regardless of a determination result of the determination unit when the number of times counted by the counter exceeds a predetermined number of times, and
    Each communication device has a prohibition unit that prohibits processing based on a received message when the number of times counted by the counter exceeds a predetermined number of times,
    The discarding unit does not perform processing for discarding a message when the number of times counted by the counter exceeds a predetermined number.
  6.  前記破棄部によりメッセージが破棄された場合に、破棄されたメッセージの識別情報を記憶する記憶部と、
     該記憶部に記憶された識別情報とは異なる識別情報が付されたメッセージが前記通信線に送信された場合に、前記カウンタを初期化する初期化部と
     を備えることを特徴とする請求項5に記載の車載通信システム。     A storage unit that stores identification information of the discarded message when the message is discarded by the discarding unit;
    6. An initialization unit that initializes the counter when a message with identification information different from the identification information stored in the storage unit is transmitted to the communication line. The in-vehicle communication system described in 1.
  7.  前記受信完了通知部による信号が出力された場合に、前記カウンタを初期化する初期化部を備えること
     を特徴とする請求項5又は請求項6に記載の車載通信システム。     The in-vehicle communication system according to claim 5 or 6, further comprising: an initialization unit that initializes the counter when a signal from the reception completion notification unit is output.
  8.  前記通信線に接続され、前記判定部、前記破棄部及び前記カウンタを有し、前記通信線上に送信されたメッセージの監視を行う監視装置を備え、
     各通信装置は、前記カウンタを有し、
     前記監視装置及び前記複数の通信装置のうちの少なくとも1つの装置は、前記受信完了通知部を有すること
     を特徴とする請求項5乃至請求項7のいずれか1つに記載の車載通信システム。     A monitoring device connected to the communication line, having the determination unit, the discarding unit, and the counter, and monitoring a message transmitted on the communication line;
    Each communication device has the counter,
    The in-vehicle communication system according to any one of claims 5 to 7, wherein at least one of the monitoring device and the plurality of communication devices includes the reception completion notification unit.
  9.  各通信装置は、前記判定部、前記破棄部及び前記カウンタを有し、
     前記複数の通信装置のうちの少なくとも1つの通信装置は、前記受信完了通知部を有すること
     を特徴とする請求項5乃至請求項7のいずれか1つに記載の車載通信システム。     Each communication device includes the determination unit, the discard unit, and the counter,
    The in-vehicle communication system according to any one of claims 5 to 7, wherein at least one communication device of the plurality of communication devices includes the reception completion notification unit.
  10.  前記監視装置は、複数の通信線に接続されて、通信線間のメッセージを中継するゲートウェイ装置であること
     を特徴とする請求項3又は請求項8に記載の車載通信システム。     The in-vehicle communication system according to claim 3 or 8, wherein the monitoring device is a gateway device that is connected to a plurality of communication lines and relays a message between the communication lines.
PCT/JP2016/077959 2015-09-29 2016-09-23 Vehicle communication system WO2017057165A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201680052782.0A CN108028855B (en) 2015-09-29 2016-09-23 Vehicle-mounted communication system
US15/763,308 US10554623B2 (en) 2015-09-29 2016-09-23 On-board communication system
DE112016004438.0T DE112016004438T5 (en) 2015-09-29 2016-09-23 BOARD COMMUNICATION SYSTEM

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015192146A JP6481579B2 (en) 2015-09-29 2015-09-29 In-vehicle communication system and monitoring device
JP2015-192146 2015-09-29

Publications (1)

Publication Number Publication Date
WO2017057165A1 true WO2017057165A1 (en) 2017-04-06

Family

ID=58423787

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/077959 WO2017057165A1 (en) 2015-09-29 2016-09-23 Vehicle communication system

Country Status (5)

Country Link
US (1) US10554623B2 (en)
JP (1) JP6481579B2 (en)
CN (1) CN108028855B (en)
DE (1) DE112016004438T5 (en)
WO (1) WO2017057165A1 (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6477281B2 (en) * 2015-06-17 2019-03-06 株式会社オートネットワーク技術研究所 In-vehicle relay device, in-vehicle communication system, and relay program
JP6561811B2 (en) * 2015-12-09 2019-08-21 株式会社オートネットワーク技術研究所 In-vehicle communication device, in-vehicle communication system, and vehicle specific processing prohibition method
WO2018142504A1 (en) * 2017-02-01 2018-08-09 富士通株式会社 Encryption key delivery system, key delivery ecu, key reception ecu, key delivery program, key reception program, and method for delivering encryption key
JP6956624B2 (en) * 2017-03-13 2021-11-02 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America Information processing methods, information processing systems, and programs
JP6620133B2 (en) * 2017-09-28 2019-12-11 株式会社Subaru Vehicle communication control device and vehicle communication control system
CN111835627B (en) * 2019-04-23 2022-04-26 华为技术有限公司 Communication method of vehicle-mounted gateway, vehicle-mounted gateway and intelligent vehicle
CN113467409A (en) * 2020-03-31 2021-10-01 北京新能源汽车股份有限公司 Fault diagnosis method and device for electronic control unit of vehicle
JP2022091585A (en) * 2020-12-09 2022-06-21 トヨタ自動車株式会社 Relay device for vehicle communication, relay method for vehicle communication and program

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003204322A (en) * 2001-10-15 2003-07-18 Mitsubishi Electric Corp Cryptographic communication system
JP2007174287A (en) * 2005-12-22 2007-07-05 Nec Corp Radio packet communication system, radio packet base station, radio packet terminal and illegal communication canceling method
US20150089236A1 (en) * 2013-09-24 2015-03-26 The Regents Of The University Of Michigan Real-Time Frame Authentication Using ID Anonymization In Automotive Networks
JP2015114907A (en) * 2013-12-12 2015-06-22 日立オートモティブシステムズ株式会社 Network device and network system

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20060056940A (en) * 2003-07-11 2006-05-25 코닌클리즈케 필립스 일렉트로닉스 엔.브이. Transmission of data packets from a transmitter to a receiver
US7783300B2 (en) * 2006-11-22 2010-08-24 Airdefense, Inc. Systems and methods for proactively enforcing a wireless free zone
CN101795170B (en) * 2009-02-02 2013-11-06 中兴通讯股份有限公司 Method, receiving equipment and system for realizing data feedback
US8239932B2 (en) * 2009-08-12 2012-08-07 At&T Mobility Ii, Llc. Signal transfer point front end processor
JP5770602B2 (en) 2011-10-31 2015-08-26 トヨタ自動車株式会社 Message authentication method and communication system in communication system
US9614767B2 (en) * 2011-12-02 2017-04-04 Autonetworks Technologies, Ltd. Transmission message generating device and vehicle-mounted communication system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003204322A (en) * 2001-10-15 2003-07-18 Mitsubishi Electric Corp Cryptographic communication system
JP2007174287A (en) * 2005-12-22 2007-07-05 Nec Corp Radio packet communication system, radio packet base station, radio packet terminal and illegal communication canceling method
US20150089236A1 (en) * 2013-09-24 2015-03-26 The Regents Of The University Of Michigan Real-Time Frame Authentication Using ID Anonymization In Automotive Networks
JP2015114907A (en) * 2013-12-12 2015-06-22 日立オートモティブシステムズ株式会社 Network device and network system

Also Published As

Publication number Publication date
JP6481579B2 (en) 2019-03-13
DE112016004438T5 (en) 2018-06-21
CN108028855B (en) 2020-10-13
US20180288000A1 (en) 2018-10-04
CN108028855A (en) 2018-05-11
JP2017069719A (en) 2017-04-06
US10554623B2 (en) 2020-02-04

Similar Documents

Publication Publication Date Title
JP6481579B2 (en) In-vehicle communication system and monitoring device
JP6477281B2 (en) In-vehicle relay device, in-vehicle communication system, and relay program
JP6685023B2 (en) Electronic control device, communication method, and program
JP6525824B2 (en) Relay device
JP5770602B2 (en) Message authentication method and communication system in communication system
WO2016080422A1 (en) Communication control device and communication system
US11938897B2 (en) On-vehicle device, management method, and management program
WO2017038422A1 (en) Communication device
KR20110031752A (en) Method and apparatus for detecting sybil attack node using localization information and hash chain in ubiquitous sensor networks
JP2023535474A (en) ASSOCIATION CONTROL METHOD AND RELATED DEVICE
JP2017050719A (en) On-vehicle network system
KR20190097216A (en) Computer-readable storage medium containing a method, apparatus and instructions for signing measurements of a sensor
CN113273144B (en) Vehicle-mounted communication system, vehicle-mounted communication control device, vehicle-mounted communication device, communication control method, and communication method
CN111343129B (en) Method and equipment for preventing protocol networking from being cracked
JP7110950B2 (en) network system
JP2018019218A (en) Electronic control device
CN112740726B (en) Data transmission method and device
CN108076046B (en) Communication system
WO2017065100A1 (en) Vehicle-mounted communication system and monitoring device
JP2016129339A (en) Reception device and reception method
KR20220065680A (en) Vehicle communication system, communication method, and storage medium storing communication program
WO2018206139A1 (en) Authentication exchange for wireless networks using variable expected response lengths
JP2015112963A (en) On-vehicle network system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16851339

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 15763308

Country of ref document: US

WWE Wipo information: entry into national phase

Ref document number: 112016004438

Country of ref document: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16851339

Country of ref document: EP

Kind code of ref document: A1